manualshive.com logo in svg

Cisco Aironet 350 Series, Administration Manual

The Cisco Aironet 350 Series is a cutting-edge wireless access point that offers seamless connectivity. To swiftly set it up, you can easily access the free Quick Start Manual available for download at our website. This comprehensive manual provides step-by-step instructions and guidelines to optimize your experience with the Cisco Aironet 350 Series.

Share
Download
background image

Security: Secure Sensitive Data Management

SSD Management Channels

Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4

375

19

 

If the configuration file was generated with a user passphrase and SSD file passphrase control 
is Restricted, the resulting configuration file can be auto-configured to the desired target 
devices. However, for auto configuration to succeed with a user-defined passphrase, the target 
devices must be manually pre-configured with the same passphrase as the device that 
generates the files, which is not zero touch. 

If the device creating the configuration file is in Unrestricted passphrase control mode, the 
device includes the passphrase in the file. As a result, the user can auto configure the target 
devices, including devices that are out-of-the-box or in factory default, with the configuration 
file without manually pre-configuring the target devices with the passphrase. This is zero 
touch because the target devices learn the passphrase directly from the configuration file. 

NOTE

Devices that are out-of-the-box or in factory default states use the default anonymous user to 
access the SCP server. 

SSD Management Channels

Devices can be managed over management channels such as telnet, SSH, and web. SSD 
categories the channels into the following types based on their security and/or protocols: 
secured, insecure, secure-XML-SNMP, and insecure-XML-SNMP.

The following describes whether SSD considers each management channel to be secure or 
insecure. If it is insecure, the table indicates the parallel secure channel.

Management Channel 

SSD Management 
Channel Type 

Parallel Secured Management 
Channel

Console Secure 

Telnet Insecure 

SSH 

SSH Secure 

GUI/HTTP Insecure 

GUI/HTTPS 

GUI/HTTPS Secure 

XML/HTTP Insecure-XML-SNMP 

XML/HTTPS 

XML/HTTPS Secure-XML-SNMP 

SNMPv1/v2/v3 without 
privacy 

Insecure-XML-SNMP Secure-XML-SNMP

SNMPv3 with privacy 

Secure-XML-SNMP 
(level-15 users) 

Summary of Contents for Aironet 350 Series

Page 1: ...Cisco 350 350X and 550X Series Managed Switches Firm ware Release 2 4 ver 0 4 ADMINISTRATION GUIDE ...

Page 2: ...nfiguring Your Switch Using the Console Port 16 USB Port 17 Switch Features 17 Chapter 2 General Information 23 Basic or Advanced Display Mode 23 Quick Start Device Configuration 25 Interface Naming Conventions 26 Window Navigation 27 Search Facility 30 Chapter 3 Dashboard 31 Grid Management 31 System Health 33 Resource Utilization 34 Identification 35 Port Utilization 36 PoE Utilization 37 Latest...

Page 3: ... Statistics 47 System Summary 48 CPU Utilization 50 Interface 50 Etherlike 52 Port Utilization 53 GVRP 53 802 1X EAP 54 ACL 56 Hardware Resource Utilization 56 Health and Power 57 Switched Port Analyzer SPAN 61 Diagnostics 62 RMON 66 View Logs 74 Chapter 6 Administration 77 System Settings 78 User Accounts 79 Idle Session Timeout 80 Time Settings 80 System Log 80 File Management 84 Plug n Play PNP...

Page 4: ...5 File Operations 99 File Directory 106 DHCP Auto Configuration Image Update 107 Chapter 8 Administration Stack Management 116 Overview 116 Types of Units in Stack 117 Stack Topology 118 Unit ID Assignment 119 Master Selection Process 120 Stack Changes 120 Unit Failure in Stack 121 Stack Ports 123 Software Auto Synchronization in Stack 126 Stack Management 130 Chapter 9 Administration Time Setting...

Page 5: ... Discover LLDP 147 Discovery CDP 168 Chapter 11 Port Management 177 Workflow 177 Port Settings 178 Error Recovery Settings 181 Loopback Detection Settings 182 Link Aggregation 185 PoE 193 Green Ethernet 202 Chapter 12 Smartport 210 Overview 210 How the Smartport Feature Works 215 Auto Smartport 215 Error Handling 219 Default Configuration 219 Relationships with Other Features 220 Common Smartport ...

Page 6: ...ttings 264 RSTP Interface Settings 266 Multiple Spanning Tree Overview 268 MSTP Properties 268 VLANs to a MSTP Instance 269 MSTP Instance Settings 270 MSTP Interface Settings 271 Chapter 15 Managing MAC Address Tables 274 Static Addresses 275 Dynamic Addresses 276 Chapter 16 Multicast 277 Multicast Forwarding Overview 277 Properties 283 MAC Group Address 284 IP Multicast Group Address 285 IPv4 Mul...

Page 7: ... 300 IPv6 Management and Interfaces 309 Domain Name System 329 Chapter 18 IP Configuration RIPv2 334 Overview 334 How Rip Operates on the Device 335 Configuring RIP 338 Access Lists 343 Chapter 19 IP Configuration VRRP 346 Overview 346 VRRP Topology 347 Configurable Elements of VRRP 348 Configuring VRRP 351 Chapter 20 IP Configuration SLA 355 Overview 355 Using SLA 358 Chapter 21 Security 362 RADI...

Page 8: ...er 22 Security 802 1X Authentication 393 Overview 393 Properties 401 Port Authentication 403 Host and Session Authentication 405 Authenticated Hosts 406 Chapter 23 Security Secure Sensitive Data Management 407 Introduction 407 SSD Management 408 SSD Rules 408 SSD Properties 413 Configuration Files 416 SSD Management Channels 420 Menu CLI and Password Recovery 421 Configuring SSD 421 Chapter 24 Sec...

Page 9: ...Overview 440 Router Advertisement Guard 443 Neighbor Discovery Inspection 444 DHCPv6 Guard 444 Neighbor Binding Integrity 445 IPv6 Source Guard 447 Attack Protection 448 Policies Global Parameters and System Defaults 450 Common Tasks 452 Default Settings and Configuration 454 Configuring IPv6 First Hop Security through Web GUI 455 Chapter 27 Access Control 474 Overview 474 MAC Based ACLs Creation ...

Page 10: ...7 Views 529 Groups 530 Users 532 Communities 534 Trap Settings 536 Notification Recipients 536 Notification Filter 541 Chapter 30 Smart Network Application SNA 542 SNA Sessions 543 SNA Graphics 544 Top Right Hand Menu 546 Topology View 547 Right Hand Information Panel 556 Operations 570 Overlays 575 Tags 578 Search 582 Dashboard 584 Notifications 586 Device Authorization Control DAC 589 DAC Workfl...

Page 11: ...Cisco 350 350X and 550X Series Managed Switches Firmware Release 2 4 ver 0 4 10 Contents Services 595 Saving SNA Settings 613 Technical Details 614 ...

Page 12: ...begin installing your device ensure that the following items are available RJ 45 Ethernet cables for connecting network devices A category 6a and higher cable is required for 10G ports a category 5e and higher cable is required for all other ports Console cable for using the console port to manage your switch Tools for installing the hardware The rack mount kit packed with the switch contains four...

Page 13: ...U of space which is 1 75 inches 44 45 mm high CAUTION For stability load the rack from the bottom to the top with the heaviest devices on the bottom A top heavy rack is likely to be unstable and might tip over To install the switch into a 19 inch standard chassis STEP 1 Place one of the supplied brackets on the side of the switch so that the four holes of the brackets align to the screw holes and ...

Page 14: ...g power requirement Table 1 Switches with Power Over Ethernet SKU Name Description PoE PD Chipset Type PoE PSE Chipset Type PoE PD AF AT 60W PoE PSE AF AT 60W SF352 08P SF352 08P 8 Port 10 100 PoE Managed Switch 2x PD70210 2x PD70222 1 x LX7309 1 69208M 0x4B42 AF AT 60W AT SF352 08MP SF352 08MP 8 Port 10 100 PoE Managed Switch 2x PD70210 2x PD70222 1 x LX7309 1 69208M 0x4B42 AF AT 60W AT SF350 24P...

Page 15: ...naged Switch 2x PD70210 2x PD70222 1 x LX7309 1 PD69208 0x4AC2 1 69208M 0x4B42 AF AT 60W AT SG350 10MP SG350 10MP 10 Port Gigabit PoE Managed Switch 2x PD70210 2x PD70222 1 x LX7309 1 PD69208 0x4AC2 1 69208M 0x4B42 AF AT 60W AT SG350 10SFP SG350 10SFP 10 Port Gigabit SFP Managed Switch N A N A N A N A SG350 28P SG350 28P 28 Port Gigabit PoE Managed Switch N A 3x PD69208 1 PD69204 0x4AC2 3 69208M 0...

Page 16: ... 69204 0x4B42 N A AF AT 60W SG350X 24P SG350X 24P 24 Port Gigabit PoE Stackable Managed Switch N A 3x PD69208 1 PD69204 0x4AC2 3 69208M 0x4B42 1 69204 N A af at 60w SG350X 24MP SG350X 24MP 24 Port Gigabit PoE Stackable Managed Switch N A 3x PD69208 1 PD69204 0x4AC2 3 69208M 0x4B42 1 69204 N A af at 60w SG350X 24PD SG350X 24PD 24 Port 2 5G PoE Stackable Managed Switch NA 3 69208M 0x4B42 1 69204 NA ...

Page 17: ... Port 10 100 PoE Stackable Managed Switch N A 7 PD69208 0x4AC2 7 69208M 0x4B42 N A af at 60w SF550X 48MP SF550X 48MP 48 Port 10 100 PoE Stackable Managed Switch N A 7 PD69208 0x4AC2 7 69208M 0x4B42 N A af at 60w SG550X 24P SG550X 24P 24 Port Gigabit PoE Stackable Managed Switch N A 4 PD69208 0x4AC2 4 69208M 0x4B42 N A af at 60w SG550X 24MP SG550X 24MP 24 Port Gigabit PoE Stackable Managed Switch N...

Page 18: ... PoE switches are PSE and as such should be powered by AC they could be powered up as a legacy PD by another PSE due to false detection When this happens the PoE switch may not operate properly and may not be able to properly supply power to its attaching PDs To prevent false detection you should disable PoE on the ports on the PoE switches that are used to connect to PSEs You should also first po...

Page 19: ...of 192 168 1 254 with a subnet of 24 When the switch is using the factory default IP address the System LED flashes continuously When the switch is using a DHCP server assigned IP address or an administrator has configured a static IP address the System LED is a steady green DHCP is enabled by default If you are managing the switch through a network connection and the switch IP address is changed ...

Page 20: ...d to install an ActiveX plug in when connecting to the device follow the prompts to accept the plug in STEP 5 Enter the switch IP address in the address bar and press Enter For example http 192 168 1 254 STEP 6 When the login page appears choose the language that you prefer to use in the web based interface and enter the username and password The default username is cisco The default password is c...

Page 21: ...e port using the supplied console cable STEP 2 Start a console port utility such as HyperTerminal on the computer STEP 3 Configure the utility with the following parameters 115200 bits per second 8 data bits no parity 1 stop bit no flow control STEP 4 Enter a username and password The default username is cisco and the default password is cisco Usernames and passwords are both case sensitive If thi...

Page 22: ...on both in band and out of band interfaces The OOB port is assigned an MAC address which is different from the base MAC address and the addresses of the in band ports This MAC address is used as the source MAC address in all frames including IP frames sent by the switch on the OOB port The IP address assigned to this port cannot be assigned to the in band ports at the same time In addition the IP ...

Page 23: ...N Static route on OOB port Static routes are supported on the OOB port IPv4 Address on OOB port Only one IPv4 address can be defined on the OOB port The default static IP address is set only on the OOB IP Applications All IP applications such as telnet SSH except for the following ones are supported on the OOB port ARP Proxy Routing protocols Relay applications DHCP DHCPv6 and UDP QoS ACL QoS and ...

Page 24: ...contents Copy files to from USB the same as with TFTP Delete rename and display the contents of USB files Stacking the Switches By default the ports on a switch function as regular Ethernet ports except if you configure them to do stacking You cannot mix the stack speeds between the switches or ports See the front panel figures in 98DX4203 98DX4204 98DX4210 98DX4211 and 98DX4212Switch Features to ...

Page 25: ...th your switch Product Models The following are the available product models Table 2 Product Models SKU Name Description SG350XG 24F SG350XG 24F 24 Port 10G SFP Stackable Managed Switch SG350XG 24T SG350XG 24T 24 Port 10GBase T Stackable Managed Switch SG350XG 48T SG350XG 48T 48 Port 10GBase T Stackable Managed Switch SG350XG 2F10 SG350XG 2F10 12 Port 10G Stackable Managed Switch SG550XG 8F8T SG55...

Page 26: ...50 24P SF350 24P 24 Port 10 100 PoE Managed Switch SF350 24MP SF350 24MP 24 Port 10 100 PoE Managed Switch SF350 48 SF350 48 48 Port 10 100 Managed Switch SF350 48P SF350 48P 48 Port 10 100 PoE Managed Switch SF350 48P SF350 48P 48 Port 10 100 PoE Managed Switch SF350 48MP SF350 48MP 48 Port 10 100 PoE Managed Switch SG350 08PD SG350 8PD 8 Port 2 5G PoE Managed Switch SG350 10 SG350 10 10 Port Gig...

Page 27: ...t Gigabit SFP Managed Switch SG350 20 SG350 20 20 Port Gigabit Managed Switch SG350 28 SG350 28 28 Port Gigabit Managed Switch SG350 28P SG350 28P 28 Port Gigabit PoE Managed Switch SG350 28MP SG350 28MP 28 Port Gigabit PoE Managed Switch SG350 28SFP SG350 28SFP 28 Port Gigabit SFP Managed Switch SG350 52 SG350 52 52 Port Gigabit Managed Switch SG350 52P SG350 52P 52 Port Gigabit PoE Managed Switc...

Page 28: ... Stackable Managed Switch SG350X 24MP SG350X 24MP 24 Port Gigabit PoE Stackable Managed Switch SG350X 24PD SG350X 24PD 24 Port 2 5G PoE Stackable Managed Switch SG350X 48 SG350X 48 48 Port Gigabit Stackable Managed Switch SG350X 48P SG350X 48P 48 Port Gigabit PoE Stackable Managed Switch SG350X 48MP SG350X 48MP 48 Port Gigabit PoE Stackable Managed Switch SF550X 24 SF550X 24 24 Port 10 100 Stackab...

Page 29: ... SF550X 48MP 48 Port 10 100 PoE Stackable Managed Switch SG550X 24 SG550X 24 24 Port Gigabit Stackable Managed Switch SG550X 24P SG550X 24P 24 Port Gigabit PoE Stackable Managed Switch SG550X 24MP SG550X 24MP 24 Port Gigabit PoE Stackable Managed Switch SG550X 24MPP SG550X 24MPP 24 Port Gigabit PoE Stackable Managed Switch SG550X 48 SG550X 48 48 Port Gigabit Stackable Managed Switch SG550X 48P SG5...

Page 30: ...h SX350X 24 SX350X 24 24 Port 10GBase T Stackable Managed Switch SX350X 52 SX350X 52 52 Port 10GBase T Stackable Managed Switch SX550X 16FT SX550X 16FT 16 Port 10G Stackable Managed Switch SX550X 12F SX550X 12F 12 Port 10G SFP Stackable Managed Switch SX550X 24 SX550X 24 24 Port 10GBase T Stackable Managed Switch SX550X 24FT SX550X 24FT 24 Port 10G Stackable Managed Switch SX550X 24F SX550X 24F 24...

Page 31: ...found on the front panel of the device USB Port The USB port connects the switch to a USB device so that you can save and restore the configuration files firmware images and SYSLOG files through the connected USB device RJ 45 Ethernet Ports The RJ 45 Ethernet ports connect network devices such as computers printers and access points to the switch Multigigabit Ethernet Ports Highlighted in blue the...

Page 32: ...U1M SFP H10GB CU3M and SFP H10GB CU5M The SFP port is a combination port shared with one other RJ 45 port When the SFP is active the adjacent RJ 45 port is disabled Some SFP interfaces are shared with one other RJ 45 port called a combo port When the SFP is active the adjacent RJ 45 port is disabled The LEDs of the corresponding RJ 45 port flash green to respond to the SFP interface traffic OOB Po...

Page 33: ...nder 1000 Mbps or nothing is cabled to the port SFP if present Green Located on the right of a 10G port The LED lights steady when a connection is made through the shared port and flashes when the port is passing traffic PoE if present Amber Located on the right of the port The LED lights steady when power is being supplied to a device attached to the corresponding port Reset Button The switch can...

Page 34: ... features and therefore the WEB GUI includes hundreds of configuration and display pages These pages are divided into the following display modes Basic Basic subset of configuration options are available If you are missing some configuration option select the Advanced mode in the device header Advanced Full set of configuration options are available Navigate from one mode to another as shown below...

Page 35: ...t page of the folder which was used by the user If the folder does not exist the Getting Started page will be displayed If there is advanced configuration and the page is loaded in basic mode a page level message will be displayed to the user e g there are 2 radius server configured but in basic mode only a single server can be displayed or there is 802 1X port authentication with time range confi...

Page 36: ...s link takes you to the Support Community page Category Link Name on the Page Linked Page Initial Setup Manage Stack Administration Stack Management Change Management Applications and Services TCP UDP Services Change Device IP Address IPv4 Interface Create VLAN VLAN Settings Configure Port Settings Port Settings Device Status System Summary System Summary Port Statistics Interface RMON Statistics ...

Page 37: ... family Gigabit Ethernet ports 10 100 1000 bits These are displayed as GE Supported only on the 350 family Ten Gigabit Ethernet ports 1000 10 000 Mbps These are displayed as XG Out of Band Port This is displayed as OOB LAG Port Channel These are displayed as LAG VLAN These are displayed as VLAN Tunnel These are displayed as Tunnel Unit Number Number of the unit in the stack The unit number togethe...

Page 38: ...n and the Save application link are no longer displayed When the device is rebooted it copies the Startup Configuration file type to the Running Configuration and sets the device parameters according to the data in the Running Configuration Username Displays the name of the user logged on to the device The default username is cisco The default password is cisco Host Name Displays the host name ass...

Page 39: ...nfigure the number of entries per page Indicates a mandatory field Add Click to display the related Add page and add an entry to a table Enter the information and click Apply to save it to the Running Configuration Click Close to return to the main page Click Save to display the Copy Save Configuration page and save the Running Configuration to the Startup Configuration file type on the device App...

Page 40: ...described below 1 Select the entry to be copied Click Copy Settings to display the popup 2 Enter the destination entry numbers in the to field 3 Click Apply to save the changes and click Close to return to the main page Delete After selecting an entry in the table click Delete to remove Details Click to display the details associated with the entry selected Edit Select the entry and click Edit The...

Page 41: ...elevant GUI pages The search result for a keyword includes links to the relevant pages and also links to the relevant help pages To access the search function enter a key word and click on the magnifying glass icon The following is an example of the results when searching for the keyword CDP If you are in Basic mode links to pages in Advanced mode are displayed but not available ...

Page 42: ...ashboard loads the modules you selected for the dashboard are loaded in their locations in the grid The data in the modules is updated periodically in intervals depending on the module type These intervals are configurable for some modules This following topics are covered in this chapter Grid Management System Health Resource Utilization Identification Port Utilization PoE Utilization Latest Logs...

Page 43: ...odule from the list of modules on the right and dragging and dropping it to any space in the grid The modules are divided into the following groups Small Modules are modules that take up a single square Large Modules take up two squares If you drag a module into a space currently occupied the new module replaces the previous one You can re arrange the placement of the modules in the grid by draggi...

Page 44: ... buttons These button perform the following Pencil Opens configuration options depending on the module Refresh Refreshes the information X Removes the module from the dashboard System Health This module displays information about device temperature when such information is available for a standalone device or for each device in the stack as shown below The following icons are shown Fan Status Yell...

Page 45: ... open the Health and Power page Resource Utilization This module displays the utilization status in terms of a percentage of the various system resources as a bar chart as shown below The resources monitored are Multicast Groups Percentage of Multicast groups that exist out of the maximum possible number that are permitted to be defined MAC Address Table Percentage of MAC Address table in use TCAM...

Page 46: ... Utilization Identification This module displays basic information regarding the device and stack as shown below It displays the following fields System Description Displays description of the device Host Name Entered in the System Settings page or default is used Also can be added in the Getting Started Wizard Firmware Version Current firmware version running on device MAC Address master unit MAC...

Page 47: ...n System Settings System Summary Click to open System Summary Port Utilization This modules displays the ports on the device in either device or chart view The view is selected in the configuration options pencil icon in upper right corner Display Mode Device View Displays the device Hovering over a port displays information about it Display Mode Chart View A list of ports is displayed The port ut...

Page 48: ...old to 100 is red In the middle of the gauge the actual PoE utilization value is shown in watts Each bar represents the PoE utilization percentage value of the device on a scale of 0 to 100 If the PoE utilization is higher than the traps threshold the bar is red Otherwise the bar is green When hovering on a bar a tooltip appears showing the actual PoE utilization of the unit in watts Additional vi...

Page 49: ...fresh Time Select one of the options displayed View Logs Click to open RAM Memory NOTE See View Logs for more information Suspended Interfaces This module displays interfaces that have been suspended in either device or table view The view is selected in the configuration options pencil icon in upper right corner Device View In this view the device is displayed This is shown below When units are c...

Page 50: ...ed to select a specific stack unit Information is displayed in table form as shown below The following fields are displayed Interface Port or LAG that was suspended Suspension Reason Reason interface was suspended Auto recovery current status Has auto recovery been enable for the feature that caused the suspension The following configuration options right hand corner are available Display Mode Sel...

Page 51: ...as shown below The following fields are displayed Stack Topology Either Chain or Ring see Types of Stack Topology Stack Master Number of unit functioning as the master unit of the stack Hovering over a unit in the module displays a tooltip identifying the unit and providing basic information on its stacking ports Hovering over a stack connection in the module displays a tooltip detailing the conne...

Page 52: ...ys a diagram of the device as shown below In stacking mode a drop down selector enables you to select the device to be viewed All suspended ports in the device are shown as red Hovering over a suspended port displays a tooltip with the following information Port name If the port is a member of a LAG the LAG identity of the port Details of the last error logged on the port Display Mode Table View I...

Page 53: ...nd Next STEP 3 Enter the fields System Location Enter the physical location of the device System Contact Enter the name of a contact person Host Name Select the host name of this device This is used in the prompt of CLI commands Use Default The default hostname System Name of these switches is switch123456 where 123456 represents the last three bytes of the device MAC address in hex format User De...

Page 54: ...he DNS server STEP 6 Click Next STEP 7 Enter the fields Username Enter a new user name between 0 and 20 characters UTF 8 characters are not permitted Password Enter a password UTF 8 characters are not permitted If the password strength and complexity is defined the user password must comply with the policy configured in Password Strength Confirm Password Enter the password again Password Strength ...

Page 55: ...TEP 1 Click Configuration Wizards VLAN Configuration Wizard STEP 2 Click Launch Wizard and Next STEP 3 Select the ports that are to be configured as trunk port by clicking with mouse on the required ports in the graphical display Ports that are already configured as Trunk ports are pre selected STEP 4 Click Next STEP 5 Enter the fields VLAN ID Select the VLAN you want to configure You can select e...

Page 56: ...ace Drop packets that meet the ACL criteria and disable the port from where the packets received Such ports can be reactivated from the Error Recovery Settings page STEP 6 For a MAC based ACL enter the fields Source MAC Address Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses Source MAC Value Enter the MAC address to which the s...

Page 57: ...Accept all IP protocols packets TCP Accept Transmission Control Protocols packets UDP Accept User Datagram Protocols packets ICMP Accept ICMP Protocols packets IGMP Accept IGMP Protocols packets Source Port for TCP UDP Select a port from the drop down list Destination Port for TCP UDP Select a port from the drop down list Source IPAddress Select Any if all source address are acceptable or User def...

Page 58: ...onfirm that you want the ACL and ACE to be created The details of the ACL rule are displayed You can click Add another rule to this ACL to add another rule STEP 10 Click Next and enter the ACL Binding information Binding Type Select one of the following options to bind the ACL Physical interfaces only Bind the ACL to a port In this case click a port or ports on which to bind the ACL VLANs only Bin...

Page 59: ...tistics This section describes how to view device statistics It covers the following topics System Summary CPU Utilization Interface Etherlike Port Utilization GVRP 802 1X EAP ACL Hardware Resource Utilization Health and Power Switched Port Analyzer SPAN and RSPAN Diagnostics RMON sFlow View Logs ...

Page 60: ...evice host name is composed of the word switch concatenated with the three least significant bytes of the device MAC address the six furthest right hexadecimal digits System Object ID Unique vendor identification of the network management subsystem contained in the entity used in SNMP System Uptime Time that has elapsed since the last reboot Current Time Current system time Base MAC Address Device...

Page 61: ...To reset the following fields click Edit to open the TCP UDP Services page HTTP Service Whether HTTP is enabled disabled HTTPS Service Whether HTTPS is enabled disabled SNMP Service Whether SNMP is enabled disabled Telnet Service Whether Telnet is enabled disabled SSH Service Whether SSH is enabled disabled PoE Power Information on Master Unit on devices supporting PoE PoE Power Information on Mas...

Page 62: ...eives and processes management and protocol traffic no matter how much total traffic is received SCT is enabled by default on the device and cannot be disabled There are no interactions with other features To display CPU utilization STEP 1 Click Status and Statistics CPU Utilization The CPU Input Rate field displays the rate of input frames to the CPU per second The window contains a graph display...

Page 63: ...rnet statistics are refreshed The Receive Statistics area displays information about incoming packets Total Bytes Octets Octets received including bad packets and FCS octets but excluding framing bits Unicast Packets Good Unicast packets received Multicast Packets Good Multicast packets received Broadcast Packets Good Broadcast packets received Packets with Errors Packets with errors received The ...

Page 64: ...like STEP 2 Enter the parameters Interface Select the specific interface for which Ethernet statistics are to be displayed Refresh Rate Select the amount of time that passes before the Etherlike statistics are refreshed The fields are displayed for the selected interface NOTE If one of the following fields shows a number of errors not 0 a Last Update time is displayed Frame Check Sequence FCS Erro...

Page 65: ...e interface Ethernet statistics are refreshed The following fields are displayed for each port Interface Name of port Tx Utilization Amount of bandwidth used by outgoing packets Rx Utilization Amount of bandwidth used by incoming packets To view a graph of historical utilization over time on the port select a port and click View Interface History Graph In addition to the above the following field ...

Page 66: ...r interface These are displayed for Received and Transmitted packets Join Empty GVRP Join Empty packets received transmitted Empty GVRP empty packets received transmitted Leave Empty GVRP Leave Empty packets received transmitted Join In GVRP Join In packets received transmitted Leave In GVRP Leave In packets received transmitted Leave All GVRP Leave All packets received transmitted The GVRP Error ...

Page 67: ...on the port EAPOL Logoff Frames Received EAPOL Logoff frames received on the port EAPOLAnnouncement Frames Received EAPOLAnnouncement frames received on the port EAPOLAnnouncement Request Frames Received EAPOL Announcement Request frames received on the port EAPOL Invalid Frames Received EAPOL invalid frames received on the port EAPOL EAP Length Error Frames Received EAPOL frames with an invalid P...

Page 68: ... to view the counters of all interfaces Click Clear Interface Counters to clear the counters of all interfaces ACL When the ACL logging feature is enabled an informational SYSLOG message is generated for packets that match ACL rules To view the interfaces on which packets forward or rejected based on ACLs STEP 1 Click Status and Statistics ACL STEP 2 Select the Refresh Rate time period in seconds ...

Page 69: ...stics Hardware Resource Utilization The following fields are displayed Unit No Unit in stack for which TCAM utilization appears This is not displayed when the device is in not part of a stack IPv4 Policy Based Routing In Use Number of router TCAM entries used for IPv4 Policy based routing Maximum Maximum number of available router TCAM entries that can be used for IPv4 Policy based routing IPv6 Po...

Page 70: ... is used for supplying power to the device if the AC power supply stops working It is only supported on the 550 family If it becomes necessary to switch to the backup power the device changes between the power sources without reboot and without any disruption to the device operation The device polls the RPS status every 1 sec if RPS is providing power the RPS LED is set and if the RPS is active a ...

Page 71: ...out them the device becomes too hot and automatically shut down Since a fan is a moving part it is subject to failures A redundant fan is installed on the system This fan is not operational unless one or more of the system fans fails In this case the redundant fan becomes part of the environment monitoring of the device It is recommended to let the redundant fan work for at least 1 minute once a d...

Page 72: ...Action At least one temperature sensor exceeds the Warning threshold The following are generated SYSLOG message SNMP trap At least one temperature sensor exceeds the Critical threshold The following are generated SYSLOG message SNMP trap The following actions are performed System LED is set to solid amber if hardware supports this Disable Ports When the Critical temperature has been exceeded for t...

Page 73: ...nnected to them and on which PoE is not operational due to the Time Range feature Cumulative PoE Power Savings Cumulative amount of the PoE power since the device was powered up saved on ports which have PDs connected to them and to which PoE is not operational due to the Time Range feature Projected Annual PoE Power Savings Yearly projected amount of PoE power since device was powered up saved on...

Page 74: ...ndant fan is operational but not required Active One of the main fans is not working and this fan is replacing it Temperature The options are OK The temperature is below the warning threshold Warning The temperature is between the warning threshold to the critical threshold Critical Temperature is above the critical threshold N A Not relevant Main Power Status these fields are found on device that...

Page 75: ...there can be up to 2 PDs PD Port 1 ID Port number of PD port1 PD Port 1 Negotiation Mode Negotiation mode see definition below PD Port 1 Status Connected or not connected PD Port 1 Type Type of PD PD Port 1 Budget Maximum amount of power that can be can be allocated for device PSE operation PD Port 2 ID Port number of PD port1 PD Port 2 Negotiation Mode Negotiation mode see definition below PD Por...

Page 76: ... fields are found on device that are PD devices and in devices that support RPS Power Supply Status The options are Main Displays one of the following Active Power supply is being used Failure Main power has failed Redundant Provides the status of the redundant power supply Displays one of the following Active Redundant Power Supply RPS supply is being used Available RPS is connected but is not be...

Page 77: ...end a copy of network packets seen on a single device port multiple device ports or an entire VLAN to a network monitoring connection on another port on the device This is commonly used when monitoring of network traffic such as for an intrusion detection system is required A network analyzer connected to the monitoring port processes the data packets The device can mirror up to eight interfaces p...

Page 78: ...rt and then forwarded over trunk ports on the intermediate devices to the destination session on the final switch which is monitoring the RSPAN VLAN The reflector port is the mechanism that copies packets to an RSPAN VLAN It is a network port that handles various types of traffic The RSPAN VLAN must be configured on all the intermediate switches NOTE RSPAN does not always successfully copy all the...

Page 79: ...itches 2 Ensure that there are at least two ports that are members of the RSPAN VLAN Traffic will pass through the switch via the RSPAN VLAN Final Switch 1 Define the RSPAN VLAN This RSPAN VLAN must be the same in the start intermediate and final switches 2 Ensure that the source port which is connected to the intermediate switch is a member of the RSPAN VLAN 3 Define the Source Interface as Remot...

Page 80: ...ion IDs of the source ports Destination Type Select one of the following options Local Interface Is the destination port on the same device as the source ports relevant to SPAN Remote VLAN Is the destination port on a different device than the source port relevant to RSPAN If the Destination Type is Remote VLAN configure the following field Reflector Port Select a unit port that functions as a tar...

Page 81: ...N select Remote VLAN STEP 5 In the Monitor Type field select whether incoming outgoing or both types of traffic are mirrored Rx and Tx Port mirroring on both incoming and outgoing packets Rx Port mirroring on incoming packets Tx Port mirroring on outgoing packets STEP 6 Click Apply The source interface for the mirroring is configured Diagnostics This section contains information for configuring po...

Page 82: ...a data cable when testing cables using VCT The test results have an accuracy within an error range of 10 for advanced Testing and 2 for basic testing CAUTION When a port is tested it is set to the Down state and communications are interrupted After the test the port returns to the Up state It is not recommended that you run the copper port test on a port you are using to run the web based switch c...

Page 83: ...lt and Green indicates status OK Channel Cable channel indicating whether the wires are straight or cross over Polarity Indicates if automatic polarity detection and correction has been activated for the wire pair Pair Skew Difference in delay between wire pairs Optical Module Status The Optical Module Status page displays the operating conditions reported by the SFP Small Form factor Pluggable tr...

Page 84: ...tics Diagnostics Optical Module Status This page displays the following fields Port Port number on which the SFP is connected Description Description of optical transceiver Serial Number Serial number of optical transceiver PID VLAN ID VID ID of optical transceiver Temperature Temperature Celsius at which the SFP is operating Voltage SFPs operating voltage Current SFPs current consumption Output P...

Page 85: ...riod and send traps to an SNMP manager The local SNMP agent compares actual real time counters against predefined thresholds and generates alarms without the need for polling by a central SNMP management platform This is an effective mechanism for proactive management provided that you have set the correct thresholds relative to your network s base line RMON decreases the traffic between the manag...

Page 86: ...splayed STEP 3 Select the Refresh Rate which is the time period that passes before the interface statistics are refreshed The following statistics are displayed for the selected interface NOTE If one of the following fields shows a number of errors not 0 a Last Update time is displayed Bytes Received Octets received including bad packets and FCS octets but excluding framing bits Drop Events Packet...

Page 87: ...nt or received Frames of 65 to 127 Bytes Frames containing 65 127 bytes that were sent or received Frames of 128 to 255 Bytes Frames containing 128 255 bytes that were sent or received Frames of 256 to 511 Bytes Frames containing 256 511 bytes that were sent or received Frames of 512 to 1023 Bytes Frames containing 512 1023 bytes that were sent or received Frames of 1024 Bytes or More Frames conta...

Page 88: ...quested value STEP 2 Click Add STEP 3 Enter the parameters New History Entry Displays the number of the new History table entry Source Interface Select the type of interface from which the history samples are to be taken Max No of Samples to Keep Enter the number of samples to store Sampling Interval Enter the time in seconds that samples are collected from the ports The field range is 1 3600 Owne...

Page 89: ...uding bad packets Multicast and Broadcast packets Broadcast Packets Good Broadcast packets excluding Multicast packets Multicast Packets Good Multicast packets received CRC Align Errors CRC and Align errors that have occurred Undersize Packets Undersized packets less than 64 octets received Oversize Packets Oversized packets over 2000 octets received Fragments Fragments packets with less than 64 o...

Page 90: ...ned STEP 2 Click Add STEP 3 Enter the parameters Event Entry Displays the event entry index number for the new entry Community Enter the SNMP community string to be included when traps are sent optional Note that the community must be defined using the Notification Recipients pages for the trap to reach the Network Management Station Description Enter a name for the event This name is used in the ...

Page 91: ...w events on a specific interface This page displays the following fields Event Entry No Event s log entry number Log No Log number within the event Log Time Time that the log entry was entered Description Description of event that triggered the alarm RMON Alarms RMON alarms provide a mechanism for setting thresholds and sampling intervals to generate exception events on counters or any other SNMP ...

Page 92: ...d an alarm is generated Delta Subtracts the last sampled value from the current value The difference in the values is compared to the threshold If the threshold was crossed an alarm is generated Rising Threshold Enter the value that triggers the rising threshold alarm Rising Event Select an event to be performed when a rising event is triggered Events are configured in the RMON Events Control page...

Page 93: ...itch or router or in a stand alone probe and a central data collector known as the sFlow collector The sFlow agent uses sampling technology to capture traffic and statistics from the device it is monitoring sFlow datagrams are used to forward the sampled traffic and statistics to an sFlow collector for analysis sFlow V5 defines How traffic is monitored The sFlow MIB that controls the sFlow agent T...

Page 94: ... from the IP address defined on the outgoing interface IPv6 Source Interface Select the IPv6 source interface STEP 3 To add a receiver sFlow analyzer click Add and select one of the pre defined sampling definition indices in Receiver Index STEP 4 Enter the receiver s address fields Receiver Definition Select whether to specify the sFlow server By IP address or By name If Receiver Definition is By ...

Page 95: ...pling and configure the port from which to collect the sFlow information STEP 1 Click Status and Statistics sFlow sFlow Interface Settings The sFlow interface settings are displayed STEP 2 To associate an sFlow receiver with a port select a port click Edit and enter the fields Interface Select the unit port from which information is collected Flow Sampling State Enable disable flow sampling Sampli...

Page 96: ...sh memory cleared only upon user command You can configure the messages that are written to each log by severity and a message can go to more than one log including logs that reside on external SYSLOG servers RAM Memory The RAM Memory page displays all messages that saved in the RAM cache in chronological order Entries are stored in the RAM log according to the configuration in the Log Settings pa...

Page 97: ...tatus and Statistics View Log RAM Memory The following are displayed at the top of the page Alert Icon Blinking Toggles between disable and enable Pop Up Syslog Notification Enables receiving pop up SYSLOGs as described above Current Logging Threshold Specifies the levels of logging that are generated This can be changed by clicking Edit by the field s name This page contains the following fields ...

Page 98: ...he device is rebooted You can clear the logs manually To view the Flash logs click Status and Statistics View Log Flash Memory The Current Logging Threshold specifies the levels of logging that are generated This can be changed by clicking Edit by the field s name This page contains the following fields for each log file Log Index Log entry number Log Time Time when message was generated Severity ...

Page 99: ...ation and configure various options on the device It covers the following topics System Settings Console Settings Autobaud Rate Support Stack Management User Accounts Idle Session Timeout Time Settings System Log File Management Plug n Play PNP Reboot Hardware Resources Discovery Bonjour Discovery LLDP Discovery CDP Locate Device Ping Traceroute ...

Page 100: ...he device MAC address in hex format User Defined Enter the hostname Use only letters digits and hyphens Host names cannot begin or end with a hyphen No other symbols punctuation characters or blank spaces are permitted as specified in RFC1033 1034 1035 Custom Banner Settings The following banners can be set Login Banner Enter text to display on the Login page before login Click Preview to view the...

Page 101: ... boot up information After Auto Detection is enabled in the Console Settings page it can be activated by connecting the console to the device and pressing the Enter key twice The device detects the baud rate automatically To enable Auto Detection or to manually set the baud rate of the console STEP 1 Click Administration Console Settings STEP 2 Select one of the following options in the Console Po...

Page 102: ...fined the user password must comply with the policy configured in Password Strength Confirm Password Enter the password again Password Strength Meter Displays the strength of password The policy for password strength and complexity are configured in the Password Strength page User Level Select the privilege level of the user being added edited Read Only CLI Access 1 User cannot access the GUI and ...

Page 103: ...meout for various types of sessions STEP 1 Click Administration Idle Session Timeout STEP 2 Select the timeout for the each type of session from the corresponding list The default timeout value is 10 minutes STEP 3 Click Apply to set the configuration settings on the device Time Settings See Administration Time Settings System Log This section describes the system logging which enables the device ...

Page 104: ...y levels are listed from the highest severity to the lowest severity as follows Emergency System is not usable Alert Action is needed Critical System is in a critical condition Error System is in error condition Warning System warning has occurred Notice System is functioning properly but a system notice has occurred Informational Device information Debug Detailed information about an event You ca...

Page 105: ...ated Originator Identifier Enables adding an origin identifier to SYSLOG messages The options are None Do not include the origin identifier in SYSLOG messages Hostname Include the system host name in SYSLOG messages IPv4 Address Include the IPv4 address of the sending interface in SYSLOG messages IPv6 Address Include the IPv6 address of the sending interface in SYSLOG messages User Defined Enter a...

Page 106: ...te log server by IP address or name IP Version Select the supported IP format IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 10 is not routable and can be used for communication only on the local network Only one link local address is supported If...

Page 107: ...boxed connected to a staging network updated with the right licenses configurations and images then packaged and shipped to the actual installation location After these processes are completed experts must travel to the installation locations to perform the installation Even in scenarios where the devices are installed in the NOC Data Center itself there may not be enough experts for the sheer num...

Page 108: ...rotocol HTTP DNS name pnpserver for PNP server and the port related to HTTP When selecting the Default Settings option all fields in PNP Transport section are grayed out Manual Settings Manually set the TCP port and server settings to use for PNP transport TCP Port Number of the TCP port This is entered automatically by the system 80 for HTTP Server Definition Select whether to specify the PNP ser...

Page 109: ... or Plaintext form PNP Behavior Settings Enter the following parameters Reconnection Interval Interval in seconds before attempting to reconnect the session after the connection is lost Discovery Timeout Specifies the time to wait in seconds before attempting discovery again after a discovery of the PNP server failed Timeout Exponential Factor Value that triggers the discovery attempt exponentiall...

Page 110: ...e Discovery Wait Discovery Not Ready Disabled Session Session Wait Transport Protocol Displays the PNP agent session information TCP Port TCP port of the PNP session Server IPAddress IP address of PNP server Username Username to be sent in PNP packets Password MD5 Password to be sent in PNP packets Discovery Timeout Discovery timeout configured Session Interval Timeout Session Interval timeout con...

Page 111: ... restores the working configuration and enables restoring the connectivity to the remote device after the specified time expires If these actions are successful the delayed reboot can be manually canceled Reloading the device cause loss of connectivity in the network thus by using delayed reboot you can schedule the reboot to a time that is more convenient for the users e g late night To reboot th...

Page 112: ... erases all except the Active Image Inactive Image Mirror configuration and Localization files The stack unit ID is set to auto Clear Startup Configuration File Check to clear the startup configuration on the device for the next time it boots up Hardware Resources The Hardware Resources page enables you to adjust the Router TCAM allocation for policy based routing IPv4 and IPv6 and VLAN mapping ru...

Page 113: ... VLAN Mapping Entries Select one of the following options Use Default Use default values User Defined Enter a value STEP 2 Save the new settings by clicking Apply NOTE If hardware based routing is not active the Reactivate Hardware Based Routing button appears Click on this button to enable hardware based routing Activation of hardware based routing depends on the hardware resources that are avail...

Page 114: ...ult In a stacked device a specific unit or all units in the stack can be specified STEP 1 Click Administration Locate Device STEP 2 Enter values in the following fields Duration Enter for how long in seconds the port s LEDs will flash Remaining Time This field is only displayed if the feature is currently activated It displays the remaining time during which the LED will flash Unit ID This field i...

Page 115: ...as the source IPv4 address for communication with the destination If the Host Definition field was By Name all IPv4 and IPv6 addresses will be displayed in this drop down field If the Host Definition field was By IP Address only the existing IP addresses of the type specified in the IP Version field will be displayed NOTE If the Auto option is selected the system computes the source address based ...

Page 116: ...e Number of Sent Packets Number of packets sent by ping Number of Received Packets Number of packets received by ping Packet Lost Percentage of packets lost in ping process Minimum Round Trip Time Shortest time for packet to return Maximum Round Trip Time Longest time for packet to return Average Round Trip Time Average time for packet to return Status Fail or succeed Traceroute Traceroute discove...

Page 117: ...mber of hops that Traceroute permits This is used to prevent a case where the sent frame gets into an endless loop The Traceroute command terminates when the destination is reached or when this value is reached To use the default value 30 select Use Default Timeout Enter the length of time that the system waits for a frame to return before declaring it lost or select Use Default STEP 3 Click Activ...

Page 118: ...ystem folder is a system file Various actions can be performed with these files such as selecting the firmware file from which the device boots copying various types of configuration files internally on the device or copying files to or from an external device such as an external server Configuration files on the device are defined by their type and contain the settings and parameter values for th...

Page 119: ...en the following conditions exist The device has been operating continuously for 24 hours No configuration changes have been made to the Running Configuration in the previous 24 hours The Startup Configuration is identical to the Running Configuration Only the system can copy the Startup Configuration to the Mirror Configuration However you can copy from the Mirror Configuration to other file type...

Page 120: ...ter will automatically upgrade the firmware of a newly added unit if the unit does not have identical firmware as the master There are two firmware images stored on the device One of the images is identified as the active image and other image is identified as the inactive image When updating the device s firmware the new firmware is always overwriting the inactive image After uploading new firmwa...

Page 121: ... By IP address or By name If Server Definition is By Address IP Version If Server Definition is By Address Select whether an IPv4 or an IPv6 address for the server is used IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be u...

Page 122: ... server authentication which is disabled by default click Edit by Remote SSH Server Authentication This takes you to the SSH Server Authentication page to configure the SSH server STEP 4 Return to this page STEP 5 Select one of the following methods to perform SSH Client Authentication Use SSH Client System Credentials Sets permanent SSH user credentials Click System Credentials to go to the SSH U...

Page 123: ...k local interface from the list Server IPAddress Name Enter the IP address or domain name of the SCP server whichever is relevant Update Source Enter the name of the source file Backup Destination Enter the name of the backup file STEP 7 Click Apply If the files passwords and server addresses are correct one of the following may happen If SSH server authentication is enabled in the SSH Server Auth...

Page 124: ... are taken from the master unit When restoring a configuration file to the Running Configuration the imported file adds any configuration commands that did not exist in the old file and overwrites any parameter values in the existing configuration commands When restoring a configuration file to the Startup Configuration the new file replaces the previous file When restoring to Startup Configuratio...

Page 125: ... a system configuration file using HTTP HTTPS USB or Internal Flash STEP 1 Click Administration File Management File Operations STEP 2 Enter the following fields Operation Type Select Update File Destination File Type Select one of the configuration file types to update Copy Method Select HTTP HTTPS USB or Internal Flash File Name Enter name of file to be updated from source file STEP 3 Click Appl...

Page 126: ...n the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface from the list Server IPAddress Name Enter the IP address or name of the TFTP server Source Enter the update file name STEP 3 Click Apply to begin the operation To update a sy...

Page 127: ...ersion Select whether an IPv4 or an IPv6 address is used IPv6 Address Type Select the IPv6 address type if used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on ...

Page 128: ...EP 3 Click Apply to begin the operation To backup a system configuration file using USB or Internal Flash STEP 1 Click Administration File Management File Operations STEP 2 Enter the following fields Operation Type Select Backup File Source File Type Select one of the configuration file types to backup Copy Method Select USB or Internal Flash File Name Enter name of destination backup file Sensiti...

Page 129: ...ingle network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interf...

Page 130: ...t is disabled by default click Edit which takes you to the SSH ServerAuthentication page to configure this and return to this page Use the SSH Server Authentication page to select an SSH user authentication method password or public private key set a username and password on the device if the password method is selected and generate an RSA or DSA key if required SSH Client Authentication Client au...

Page 131: ...name of the SCP server Destination Enter the name of the backup file Sensitive Data Handling Select how sensitive data should be included in the backup file The following options are available Exclude Do not include sensitive data in the backup Encrypt Include sensitive data in the backup in its encrypted form Plaintext Include sensitive data in the backup in its plaintext form NOTE The available ...

Page 132: ...e following options are available Flash Display all files in the root directory of the management station USB Display files on the USB drive STEP 4 Click Go to display the following fields File Name Type of system file or actual name of file depending on the file type Permissions Read write permissions of the user for the file Size Size of file Last Modified Date and time that file was modified Fu...

Page 133: ...te Configuration enables quick installation of new devices on the network since an out of the box device is configured to retrieve its configuration file and software image from the network without any manual intervention by the system administrator The first time that it applies for its IP address from the DHCP server the device downloads and reboots itself with the configuration file and or imag...

Page 134: ...d through the DHCP Auto Configuration Image Update feature Auto Configuration Image Update Process DHCP Auto Configuration uses the configuration server name address and configuration file name path from the DHCP messages received if any In addition DHCP Image Update uses the indirect file name of the firmware if any in the messages This information is specified as DHCP options in the Offer messag...

Page 135: ...address and configuration file name path DHCPv4 options 66 150 and 67 DHCPv6 options 59 and 60 if any from the DHCP message received If the information is not sent by the DHCP server the Backup Server IPAddress Name and the Backup Configuration File Name from the DHCP Auto Configuration Image Update is used The new configuration file is used if its name is different than the name of the configurat...

Page 136: ...Auto Configuration process is halted If the information is available the SCP server is accessed to download the configuration file or image from it Auto Configuration Image Update Trigger Auto Configuration Image Update via DHCPv4 is triggered when the following conditions are fulfilled The IP address of the device is dynamically assigned renewed at reboot or explicitly renewed by administrative a...

Page 137: ...ct image file name is provided by the DHCP server or a backup indirect image file name has been configured Indirect means that this is not the image itself but rather a file that holds the path name to the image Auto Configuration Image Update in a Stack The current master of a stack is responsible for the Auto Configuration Image Update of the whole stack For auto configuration the new configurat...

Page 138: ... configured as a DHCPv4 or DHCPv6 client The type of DHCP client defined on the device is in correlation with the type of interfaces defined on the device Auto Configuration Preparations To prepare the DHCP and TFTP SCP servers do the following TFTP SCP Server Place a configuration file in the working directory This file can be created by copying a configuration file from a device When the device ...

Page 139: ...s DHCPv4 Option 125 indirect file name DHCPv6 Options 60 name of configuration file plus indirect image file name separated by a comma DHCP Client Work Flow STEP 1 Configure Auto Configuration and or Auto Image Update parameters in the DHCP Auto Configuration Image Update page STEP 2 Set the IP Address Type to Dynamic in the IP Configuration IPv4 Interface page Set the IP Address Type to Dynamic i...

Page 140: ...ed by default but can be enabled here Download Protocol Select one of the following options Auto By File Extension Select to indicate that auto update uses the TFTP or SCP protocol depending on the extension of the image file If this option is selected the extension of the image file does not necessarily have to be given If it is not given the default extension is used as indicated below File Exte...

Page 141: ...lobal The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6 is used from the list STEP 4 Enter the following optional information that is used if the DHCP server did not provide the required information Backup Server IPAddress Name Enter either the backup server IP address or name Backup Configu...

Page 142: ...ng modes see Stack Unit Mode By default a device is always stackable but has no port configured as a stack port All the ports in the devices are configured as network ports by default A device without any stack port can be thought of as the master device in a stack of only itself or as a standalone device To stack two or more devices configure the desired network ports as stack ports in the device...

Page 143: ...k capacity The stacked system supports redundancy in the following ways The backup unit becomes the master of the stack if the original master fails The stack system supports two types of topologies chain and ring In ring topology if one of the stack ports fails the stack continues to function in chain topology see Stack Topology A process known as Fast Stack Link Failover is supported on the port...

Page 144: ...nit fails the stack continues to function as long as there is a backup unit the active unit that assumes the master role If the backup unit fails in addition to the master and the only functioning units are the slave units these also stop functioning after one minute This means for example that if after 1 minute you plug in a cable to a port of one of the slave units that was running without a mas...

Page 145: ...k Topology Types of Stack Topology The units in a stack can be connected in one of the following types of topologies Chain Topology Each unit is connected to the neighboring unit but there is no cable connection between the first and last unit See Stack Architecture Chain Topology shows a chain topology Ring Topology Each unit is connected to the neighboring unit The last unit is connected to the ...

Page 146: ...ocess is triggered by a change in the up down status of a stack port The following are examples of events that trigger this process Changing the stack topology from a ring to a chain Merging two stacks into a single stack Splitting the stack Inserting other slave units to the stack for instance because the units previously disconnected from the stack due to a failure This can happen in a chain top...

Page 147: ...ally The unit ID is manually set to an integer from 1 maximum number of units in a stack Duplicate Unit IDs If you assign the same unit ID to two separate units only one of them can join the stack with that unit ID If auto numbering has been selected the duplicate unit is assigned a new unit number If auto numbering was not selected the duplicate unit is shut down The following shows a case where ...

Page 148: ...units auto numbered is renumbered Duplicate Unit Renumbered The following shows a case where one of the duplicate units is renumbered The one with the lower MAC retains its unit ID see Master Selection Process for a description of this process Duplication Between Two Units With Auto Number Unit ID NOTE If a new stack has more than the maximum number of units all extra units are shut down ...

Page 149: ...is retained when it is selected as master in the switch failover process Unit ID If both units have the same number of time segments the unit with the lowest unit ID is selected MAC Address If both units IDs are the same the unit with the lowest MAC address is chosen NOTE For a stack to operate it must have a master unit A master unit is defined as the active unit that assumes the master role The ...

Page 150: ... IDs automatically beginning from the lowest available ID One or more duplicate unit IDs exist Auto numbering resolves conflicts and assigns unit IDs In case of manual numbering only one unit retains its unit ID and the other s are shutdown The number of units in the stack exceeds the maximum number of units allowed The new units that joined the stack are shut down and a SYSLOG message is generate...

Page 151: ...ting the Original Master Unit After Failover Failure of Master Unit If the Master fails the backup unit takes over the master role and continues to operate the stack normally For the backup to be able to take the place of the master both units maintain a warm standby at all times In warm standby the master and its backup units are synchronized with the static configuration contained in both the St...

Page 152: ...TE When STP is used and the ports are in link up the STP port s state is temporarily Blocking and it cannot forward traffic or learn MAC addresses This is to prevent spanning tree loops between active units Slave Unit Handling While the backup becomes the master the active slave units remain active and continue to forward packets based on the configuration from the original master This minimizes d...

Page 153: ... which ports you plan to use as stack ports in the Stack Management page The following ports can be stack ports XG Devices all ports support the 10Gigabit speed All ports can be stack ports X Devices Only uplink ports support the 10Gigabit speed Only the four XG uplink ports can be stack ports Stack Port Link Aggregation When two neighboring units are connected with multiple stack links the stack ...

Page 154: ...SG350 more than two interfaces or an unsupported interface combination is used to connect to a single neighbor Physical Constraints for Stack LAGs The following factors constrain the use of stack LAGs A stack LAG must contain ports of the same speed When attempting to connect a unit to a stack whose topology is not a ring chain for example trying to connect a unit to more than two neighboring unit...

Page 155: ... unit in a stack automatically downloads firmware from the master unit if the firmware which the unit and the master are running is different The unit automatically reboots itself to run the new version Stack Ports or Network Ports Connector Type All ports Cisco SFP H10GB CU1M Passive Copper Cable 1G 10G Cisco SFP H10GB CU3M Passive Copper Cable 1G 10G Cisco SFP H10GB CU5M Passive Copper Cable 1G ...

Page 156: ...50 family of devices Hybrid Stack In Hybrid Stack mode all unit types within the same product line 350 or 550 can be stacked together without regard to the type of ports supported by device An 350 device cannot be stacked with an 550 device and vice versa To join a unit to a hybrid stack it must be first configured in Hybrid mode This is done by setting the Stack Mode to Hybrid Stacking in the Sta...

Page 157: ...stack Feature Table Sx550X SG550XG SX550X Hybrid Stack OOB port Not Supported Supported Not Supported MAC table size 16K 32K 16K ACL TCAM 3K reserved 2K reserved 2K reserved ARP table size 4K reserved 8K reserved 4K reserved Max MAC table aging 400 630 400 Feature Table Sx350X SG350XG SX350X Hybrid Stack OOB port Not Supported Supported Not Supported MAC table size 16K 32K 16K ACL TCAM 1K reserved...

Page 158: ...ed as a SYSLOG error in the master unit Note that the only way for the unit to recover from this state is by unplugging it from the electrical source and plugging it back in This operation must be preformed when an affected unit is disconnected from the stack After this operation the affected unit mode can be changed to the current stack mode and the unit can be rejoined to the stack Stack Unit Ty...

Page 159: ...lied to new units with no error When replacing an FE GE device which supports uplink port type with an XG device which do not support uplink port type the uplink port configuration on the newly inserted XG device is saved to a special interface type with ID of 49 52 This interface type is reserved to indicate that the interface is not present When replacing a unit interface type the running and st...

Page 160: ...ck and through which stacking ports An example is shown below Unit View and Stack Port Configuration When you click on a specific device in the Stack Topology View a graphical view of the device is seen An example is shown below STEP 2 To select stack ports for a device a Click a device in the Stack Topology View The ports on this device are displayed in the Unit View and Stack Port Configuration ...

Page 161: ...g port If you click on a yellow stacking port it becomes a network port black STEP 3 To configure unit ID after reset for devices in the stack click the device in the Stack Topology View and enter the following field Unit ID After Reset Select a unit ID or select Auto to have the unit ID be assigned by the system Unit x Stack Connection Speed Displays the speed of the stack connection STEP 4 Click...

Page 162: ...ems as it is important for the modification times to be consistent regardless of the machine on which the file systems reside For these reasons it is important that the time configured on all of the devices on the network is accurate NOTE The device supports Simple Network Time Protocol SNTP and when enabled the device dynamically synchronizes the device time with time from an SNTP server The devi...

Page 163: ...tion The configuration of time from the computer is saved to the Running Configuration file You must copy the Running Configuration to the Startup Configuration to enable the device to use the time from the computer after reboot The time after reboot is set during the first WEB login to the device When you configure this feature for the first time if the time was not already set the device sets th...

Page 164: ...DHCP option 100 in order for dynamic time zone configuration to take place SNTP Modes The device can receive system time from an SNTP server in one of the following ways Client Broadcast Reception passive mode SNTP servers broadcast the time and the device listens to these broadcasts When the device is in this mode there is no need to define a Unicast SNTP server Client Broadcast Transmission acti...

Page 165: ...2 Enter the following parameters Clock Source Settings Select the source used to set the system clock Main Clock Source SNTP Servers If this is enabled the system time is obtained from an SNTP server To use this feature you must also configure a connection to an SNTP server in the SNTP Multicast Anycast page Optionally enforce authentication of the SNTP sessions by using the SNTP Authentication pa...

Page 166: ...his time zone This acronym appears in the Actual Time field Daylight Savings Settings Select how DST is defined Daylight Savings Select to enable Daylight Saving Time Time Set Offset Enter the number of minutes offset from GMT ranging from 1 1440 The default is 60 Daylight Savings Type Click one of the following USA DST is set according to the dates used in the USA European DST is set according to...

Page 167: ...e DNS server s on the device see DNS Settings To add a Unicast SNTP server STEP 1 Click Administration Time Settings SNTP Unicast STEP 2 Enter the following fields SNTP Client Unicast Select to enable the device to use SNTP predefined Unicast clients with Unicast SNTP servers IPv4 Source Interface Select the IPv4 interface whose IPv4 address will be used as the source IPv4 address in messages used...

Page 168: ...he host determines the value of this offset using the algorithm described in RFC 2030 Delay Estimated round trip delay of the server s clock relative to the local clock over the network path between them in milliseconds The host determines the value of this delay using the algorithm described in RFC 2030 Source How the SNTP server was defined for example manually or from DHCPv6 server Interface In...

Page 169: ...er IPAddress Name Enter the SNTP server IP addressor name The format depends on which address type was selected Poll Interval Select to enable polling of the SNTPserver for system time information All NTP servers that are registered for polling are polled and the clock is selected from the server with the lowest stratum level distance from the reference clock that is reachable The server with the ...

Page 170: ... packets requesting system time information The packets are transmitted to all SNTP servers on the subnet SNTP IPv6 Anycast Client Mode Client Broadcast Transmission Select to transmit SNTP IPv6 synchronization packets requesting system time information The packets are transmitted to all SNTP servers on the subnet STEP 2 Click Add to select the interface for SNTP Select an interface STEP 3 Click A...

Page 171: ...rs Authentication Key ID Enter the number used to identify this SNTP authentication key internally Authentication Key Encrypted Enter the key used for authentication up to eight characters in encrypted format The SNTP server must send this key for the device to synchronize to it Authentication Key Plaintext Enter the key used for authentication up to eight characters in plaintext format The SNTP s...

Page 172: ...he recurring time range have been reached Operations of the associated commands are inactive when either of the time ranges are reached The device supports a maximum of 10 absolute time ranges All time specifications are interpreted as local time Daylight Saving Time does not affect this To ensure that the time range entries take effect at the desired times the system time must be set The time ran...

Page 173: ...ange A recurring time element can be added to an absolute time range This limits the operation to certain time periods within the absolute range To add a recurring time range element to an absolute time range STEP 1 Click Administration Time Settings Recurring Range The existing recurring time ranges are displayed filtered per a specific absolute time range STEP 2 Select the absolute time range to...

Page 174: ...ry packets to interfaces with IP addresses that have been associated with Bonjour on the Bonjour Discovery Interface Control table Use to IPv4 Interface to configure an IP address to an interface If an interface such as a VLAN is deleted the device will send out Bonjour Goodbye packets to the interface to deregister itself and its services Neighbor devices receiving the Goodbye packets will delete...

Page 175: ...apabilities By default the device sends an LLDP CDP advertisement periodically to all its interfaces and processes incoming LLDP and CDP packets as required by the protocols In LLDP and CDP advertisements are encoded as TLV Type Length Value in the packet The following CDP LLDP configuration notes apply CDP LLDP can be enabled or disabled globally or per port The CDP LLDP capability of a port is r...

Page 176: ...e STP status of an interface If 802 1x port access control is enabled at an interface the device transmits and receives CDP LLDP packets to and from the interface only if the interface is authenticated and authorized If a port is the target of mirroring then CDP LLDP considers it down NOTE CDP and LLDP are link layer protocols for directly connected CDP LLDP capable devices to advertise themselves...

Page 177: ...LLDP standardizes methods for network devices to advertise themselves to other systems and to store discovered information LLDP enables a device to advertise its identification configuration and capabilities to neighboring devices that then store the data in a Management Information Base MIB The network management system models the topology of the network by querying these MIB databases LLDP is a ...

Page 178: ...iate LLDP MED network policies and the optional LLDP MED TLVs to the desired interfaces by using the LLDP MED Port Settings page 5 If Auto Smartport is to detect the capabilities of LLDP devices enable LLDP in the Properties page 6 Display overloading information by using the LLDP Overloading page LLDP Properties The Properties page enables entering LLDP general parameters such as enabling disabli...

Page 179: ...ertise the MAC address of the device Host Name Advertise the host name of the device STEP 3 In the LED MED Properties Fast Start Repeat Count field enter the number of times LLDP packets are sent when the LLDP MED Fast Start mechanism is initialized This occurs when a new endpoint device links to the device For a description of LLDP MED refer to the LLDP MED Network Policy section STEP 4 Click App...

Page 180: ...ersion System Name System s assigned name in alpha numeric format The value equals the sysName object System Description Description of the network entity in alpha numeric format This includes the system s name and versions of the hardware operating system and networking software supported by the device The value equals the sysDescr object System Capabilities Primary functions of the device and wh...

Page 181: ... dynamic addresses the software chooses the lowest IP address among the static IP addresses None Do not advertise the management IP address Manual Advertise Select this option and the management IP address to be advertised We recommend you select this option when the device is configured with multiple IP addresses IPAddress If Manual Advertise was selected select the Management IP address from the...

Page 182: ...s traffic as specified in the network policy it receives For example a policy can be created for VoIP traffic that instructs VoIP phone to Send voice traffic on VLAN 10 as tagged packet and with 802 1p priority 5 Send voice traffic with DSCP 46 Network policies are associated with ports by using the LLDP MED Port Settings page An administrator can manually configure one or more network policies an...

Page 183: ...Value Select the DSCP value to associate with application data sent by neighbors This value informs them how they must mark the application traffic they send to the device STEP 6 Click Apply The network policy is defined NOTE You must manually configure the interfaces to include the desired manually defined network policies for the outgoing LLDP packets using the LLDP MED Port Settings LLDP MED Po...

Page 184: ...olicy for the voice application is automatic or not see LLDP Overview Click on the link to change the mode STEP 3 To associate additional LLDP MED TLV and or one or more user defined LLDP MED Network Policies to a port select it and click Edit STEP 4 Enter the parameters Interface Select the interface to configure LLDP MED Status Enable disable LLDP MED on this port SNMP Notification Select whethe...

Page 185: ...s click Administration Discovery LLDP LLDP Port Status Information for all ports including the OOB port is displayed STEP 2 Select a specific port and click LLDP Local Information Detail to see the details of the LLDP and LLDP MED TLVs sent out to the port STEP 3 Select a specific port and click LLDP Neighbor Information Detail to see the details of the LLDP and LLDP MED TLVs received from the por...

Page 186: ...P local port status advertised on a port STEP 1 Click Administration Discovery LLDP LLDP Local Information STEP 2 Select the interface for which LLDP local information is to be displayed This page displays the following fields for the selected interface including the OOB port Global Chassis ID Subtype Type of chassis ID For example the MAC address Chassis ID Identifier of chassis Where the chassis...

Page 187: ...to negotiation support status Auto Negotiation Enabled Port speed auto negotiation active status Auto Negotiation Advertised Capabilities Port speed auto negotiation capabilities for example 1000BASE T half duplex mode 100BASE TX full duplex mode Operational MAU Type MediumAttachment Unit MAU type The MAU performs physical layer functions including digital data conversion from the Ethernet interfa...

Page 188: ...me in micro seconds that the transmitting link partner waits before it starts transmitting data after leaving Low Power Idle LPI mode Local Rx Indicates the time in micro seconds that the receiving link partner requests that the transmitting link partner waits before transmission of data following Low Power Idle LPI mode Remote Tx Echo Indicates the local link partner s reflection of the remote li...

Page 189: ...ass 1 and Class 2 features plus location 911 Layer 2 device support and device information management capabilities PoE Device Type Port PoE type for example PD PoE Power Source Port power source PoE Power Priority Port power priority PoE Power Value Port power value Hardware Revision Hardware version Firmware Revision Firmware version Software Revision Software version Serial Number Device serial ...

Page 190: ... that was received from neighboring devices After timeout based on the value received from the neighbor Time To Live TLV during which no LLDP PDU was received from a neighbor the information is deleted To view the LLDP neighbors information STEP 1 Click Administration Discovery LLDP LLDP Neighbor Information STEP 2 Select the interface for which LLDP neighbor information is to be displayed This pa...

Page 191: ... system that is published System Description Description of the network entity in alpha numeric format This includes the system name and versions of the hardware operating system and networking software supported by the device The value equals the sysDescr object Supported System Capabilities Primary functions of the device The capabilities are indicated by two octets Bits 0 through 7 indicate Oth...

Page 192: ...upported on the port PSE MDI Power State Indicates if MDI power is enabled on the port PSE Power Pair Control Ability Indicates if power pair control is supported on the port PSE Power Pair Power pair control type supported on the port PSE Power Class Advertised power class of the port Power Type Type of pod device connected to the port Power Source Port power source Power Priority Port power prio...

Page 193: ...r waits before transmission of data following Low Power Idle LPI mode Local Tx Echo Indicates the local link partner s reflection of the remote link partner s Tx value Local Rx Echo Indicates the local link partner s reflection of the remote link partner s Rx value MED Details Capabilities Supported MED capabilities enabled on the port Current Capabilities MED TLVs advertised by the port Device Cl...

Page 194: ... Device manufacturer name Model Name Device model name Asset ID Asset ID 802 1 VLAN and Protocol PVID Advertised port VLAN ID PPVIDs PPVID Table VID Protocol VLAN ID Supported Supported Port and Protocol VLAN IDs Enabled Enabled Port and Protocol VLAN IDs VLAN IDs VLAN ID Table VID Port and Protocol VLAN ID VLAN Name Advertised VLAN names Protocol ID Table Protocol ID Advertised protocol IDs Locat...

Page 195: ...Untagged for which the network policy is defined User Priority Network policy user priority DSCP Network policy DSCP STEP 4 Select a port and click LLDP Port Status Table to see the details in the LLDP Port Status Table LLDP Statistics The LLDP Statistics page displays LLDP statistical information per port To view the LLDP statistics STEP 1 Click Administration Discovery LLDP LLDP Statistics For e...

Page 196: ...the number of available bytes for additional LLDP information and the overloading status of every interface To view LLDP overloading information STEP 1 Click Administration Discovery LLDP LLDP Overloading This page contains the following fields for each port Interface Port identifier This can also be an OOB port Total Bytes In Use Total number of bytes of LLDP information in each packet Available ...

Page 197: ... via MDI Size Bytes Total LLDP MED extended power via MDI packets byte size Status If the LLDP MED extended power via MDI packets sent or if they overloaded 802 3 TLVs Size Bytes Total LLDP MED 802 3 TLVs packets byte size Status If the LLDP MED 802 3 TLVs packets sent or if they overloaded LLDP Optional TLVs Size Bytes Total LLDP MED optional TLVs packets byte size Status If the LLDP MED optional...

Page 198: ... Cisco proprietary protocol CDP Configuration Workflow The followings is sample workflow for configuring CDP on the device You can also find additional CDP configuration guidelines in the LLDP CDP section STEP 1 Enter the CDP global parameters using the CDP Properties page STEP 2 Configure CDP per interface using the CDP Interface Settings page STEP 3 If Auto Smartport is used to detect the capabi...

Page 199: ...use CDP Hold Time Amount of time that CDP packets are held before the packets are discarded measured in multiples of the TLV Advertise Interval For example if the TLV Advertise Interval is 30 seconds and the Hold Multiplier is 4 then the LLDP packets are discarded after 120 seconds The following options are possible Use Default Use the default time 180 seconds User Defined Enter the time in second...

Page 200: ...not match what the local device is advertising STEP 3 Click Apply The LLDP properties are defined CDP Interface Settings The Interface Settings page enables you to enable disable CDP per port Notifications can also be triggered when there are conflicts with CDP neighbors The conflict can be Voice VLAN data Native VLAN or Duplex By setting these properties it is possible to select the types of info...

Page 201: ...ing frame does not match what the local device is advertising Syslog Native VLAN Mismatch Select to enable sending a SYSLOG message when a native VLAN mismatch is detected This means that the native VLAN information in the incoming frame does not match what the local device is advertising Syslog Duplex Mismatch Select to enable sending a SYSLOG message when duplex information mismatch is detected ...

Page 202: ...ifier of platform advertised in the platform TLV Native VLAN TLV Native VLAN The native VLAN identifier advertised in the native VLAN TLV Full Half Duplex TLV Duplex Whether port is half or full duplex advertised in the full half duplex TLV Appliance TLV Appliance ID Type of device attached to port advertised in the appliance TLV Appliance VLAN ID VLAN on the device used by the appliance for insta...

Page 203: ...ived with a Request ID field that is different from the last received set or when the first value is received The interface transitions to Down Available Power Amount of power consumed by port Management Power Level Displays the supplier s request to the pod device for its Power Consumption TLV The device always displays No Preference in this field 4 Wire Power via MDI UPOE TLV Displays whether th...

Page 204: ...e interval in seconds after which the information for this neighbor is deleted Capabilities Capabilities advertised by neighbor Platform Information from Platform TLV of neighbor Neighbor Interface Outgoing interface of the neighbor STEP 4 Select a device and click Details This page contains the following fields about the neighbor Device ID Identifier of the neighboring device ID System Name Name ...

Page 205: ...no Power Requested TLV was received since the interface last transitioned to Up Power Management ID Value incremented by 1 or 2 to avoid 0 each time any one of the following events occur Available Power or Management Power Level fields change value A Power Requested TLV is received with a Request ID field that is different from the last received set or when the first value is received The interfac...

Page 206: ...ne in the CDP Properties page and the CDP Interface Settings page To view CDP statistics STEP 1 Click Administration Discovery CDP CDP Statistics The following fields are displayed for every interface including the OOB port Packets Received Transmitted Version 1 Number of CDP version 1 packets received transmitted Version 2 Number of CDP version 2 packets received transmitted Total Total number of...

Page 207: ...he following actions 1 Configure port by using the Port Settings page 2 Enable disable the Link Aggregation Control LAG protocol and configure the potential member ports to the desired LAGs by using the LAG Management page By default all LAGs are empty 3 Configure the Ethernet parameters such as speed and auto negotiation for the LAGs by using the LAG Settings page 4 Configure the LACP parameters ...

Page 208: ...cally disables ports that experience link flap events Jumbo Frames Check to support packets of up to 9 KB in size If Jumbo Frames is not enabled default the system supports packet size up to 2 000 bytes Note that receiving packets bigger than 9 KB might cause the receiving port to shutdown Also sending packets bigger than 10 KB bytes might cause the receiving port to shutdown For jumbo frames to t...

Page 209: ...f the error is displayed Link Status SNMP Traps Select to enable generation of SNMP traps that notify of changes to the link status of the port Not relevant for the OOB port Time Range Select to enable the time range during which the port is in Up state When the time range is not active the port is in shutdown If a time range is configured it is effective only when the port is administratively Up ...

Page 210: ...e client in both directions simultaneously Operational Duplex Mode Only displayed on non XG ports Displays the ports current duplex mode Auto Advertisement Select the capabilities advertised by auto negotiation when it is enabled NOTE Not all options are relevant for all devices The options are Max Capability All port speeds and duplex mode settings can be accepted 10 Half 10 Mbps speed and Half D...

Page 211: ... disables the remote port preventing it from sending packets by jamming the signal Flow Control Enable or disable 802 3x Flow Control or enable the auto negotiation of Flow Control on the port only when in Full Duplex mode Flow control auto negotiation cannot be enabled on combo ports MDI MDIX Media Dependent Interface MDI Media Dependent Interface with Crossover MDIX status on the port The option...

Page 212: ...s been shutdown because of an error condition after the Automatic Recovery Interval has passed To configure error recovery settings STEP 1 Click Port Management Error Recovery Settings STEP 2 Enter the following fields Automatic Recovery Interval Specify the time delay for automatic error recovery if enabled after a port is shutdown Automatic ErrDisable Recovery Port Security Select to enable auto...

Page 213: ...ry Settings The list of inactivated interfaces along with their Suspension Reason is displayed STEP 2 Select the interface to be reactivated STEP 3 Click Reactivate Loopback Detection Settings Loopback Detection LBD provides protection against loops by transmitting loop protocol packets out of ports on which loop protection has been enabled When the switch sends out a loop protocol packet and then...

Page 214: ...e LBD is globally enabled LBD is enabled on the port Port operational status is up Port is in STP forwarding disable state MSTP instance forwarding state instance 0 LBD frames are transmitted on the highest priority queue on LBD active ports in case of LAGs the LBD is transmitted on every active port member in LAG When a loop is detected the switch performs the following actions Sets the receiving...

Page 215: ...is is the interval between transmission of LBD packets STEP 4 Click Apply to save the configuration to the Running Configuration file The following fields are displayed for each interface regarding the Loopback Detection State Administrative Loopback detection is enabled Operational Loopback detection is enabled but not active on the interface STEP 5 Select whether to enable LBD on ports or LAGS i...

Page 216: ...prior to applying the LACP button then become available for editing Dynamic A LAG is dynamic if LACP is enabled on it The group of ports assigned to dynamic LAG are candidate ports LACP determines which candidate ports are active member ports The non active candidate ports are standby ports ready to replace any failing active member ports Load Balancing Traffic forwarded to a LAG is load balanced ...

Page 217: ...of the LAG is applied to the port When the port is removed from the LAG its original configuration is reapplied Protocols such as Spanning Tree consider all the ports in the LAG to be one port Default Settings and Configuration By default ports are not members of a LAG and are not candidates to become part of a LAG Static and Dynamic LAG Workflow After a LAG has been manually created LACP cannot b...

Page 218: ...e Edit LAG Membership page To select the load balancing algorithm of the LAG STEP 1 Click Port Management Link Aggregation LAG Management STEP 2 Select one of the following Load Balance Algorithm MAC Address Perform load balancing by source and destination MAC addresses on all packets IP MAC Address Perform load balancing by the source and destination IP addresses on IP packets and by the source a...

Page 219: ... LAGs You can configure the settings of selected LAGs and reactivate suspended LAGs by launching the Edit LAG Settings page To configure the LAG settings or reactivate a suspended LAG STEP 1 Click Port Management Link Aggregation LAG Settings The LAGs in the system are displayed STEP 2 Select a LAG and click Edit STEP 3 Enter the values for the following fields LAG Select the LAG ID number LAG Typ...

Page 220: ...ions are Max Capability All LAG speeds and both duplex modes are available 10 Full The LAG advertises a 10 Mbps speed and the mode is full duplex 100 Full The LAG advertises a 100 Mbps speed and the mode is full duplex 1000 Full The LAG advertises a 1000 Mbps speed and the mode is full duplex 2500 Full The LAG advertises a 2500 Mbps speed and the mode is full duplex This is only supported on the 5...

Page 221: ...f the device with the lowest MAC address controls candidate port selection to the LAG A dynamic LAG can have up to 16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode When there are more than eight ports in the dynamic LAG the device on the controlling end of the link uses port priorities to determine which ports are bundled into the LAG ...

Page 222: ...dress using DHCP and get its configuration using auto configuration LACP Settings Use the LACP page to configure the candidate ports for the LAG and to configure the LACP parameters per port With all factors equal when the LAG is configured with more candidate ports than the maximum number of active ports allowed 8 the device selects ports as active from the dynamic LAG on the device that has the ...

Page 223: ...vice unidirectional link and to shut down those ports All connected devices must support UDLD for the protocol to successfully detect unidirectional links If only the local device supports UDLD it is not possible for the device to detect the status of the link In this case the status of the link is set to undetermined The user can configure whether ports in the undetermined state are shut down or ...

Page 224: ...imes out UDLD shuts down the port after an extended period of time when it can determine that the link is faulty The port state for UDLD is marked as undetermined UDLD is enabled on a port when one of the following occurs The port is a fiber port and UDLD is enabled globally The port is a copper port and you specifically enable UDLD on it How UDLD Works When UDLD is enabled on a port the following...

Page 225: ...age For more information see Reactivating a Shutdown Port If an interface is down and UDLD is enabled the device removes all neighbor information and sends at least one ULDL message to the neighbors informing them that the port is down When the port is brought up the UDLD state is changed to Detection UDLD Not Supported or is Disabled on a Neighbor If UDLD is not supported or disabled on a neighbo...

Page 226: ...not want to shut down ports unless it is known for sure that the link is unidirectional Set the UDLD mode to aggressive when you want both unidirectional and bidirectional link loss Dependencies On Other Features UDLD and Layer 1 When UDLD is enabled on a port UDLD actively runs on that port while the port is up When the port is down UDLD goes into UDLD shutdown state In this state UDLD removes al...

Page 227: ...l UDLD status STEP 2 Click Apply Workflow2 To change the UDLD configuration of a fiber port or to enable UDLD on a copper port perform the following steps STEP 1 Open the UDLD Global Settings page a Select a port b Select either Default Disabled Normal or Aggressive as the port s UDLD status If you select Default the port receives the global setting STEP 2 Click Apply Workflow3 To bring a port up ...

Page 228: ...down an interface if the link is unidirectional If the link is undetermined a notification is issued Aggressive Device shuts down an interface if the link is uni directional If the link is bi directional the device shuts down after the UDLD information times out The port state is marked as undetermined STEP 3 Click Apply to save the settings to the Running Configuration file UDLD Interface Setting...

Page 229: ...an running on the port so that the state is not yet determined Bidirectional Traffic sent by the local device is received by its neighbor and traffic from the neighbor is received by the local device Undetermined The state of the link between the port and its connected port cannot be determined either because no UDLD message was received or the UDLD message did not contain the local device ID in i...

Page 230: ...t determination if there was one or since UDLD began running on the port so that the state is not yet determined Bidirectional Traffic sent by the local device is received by its neighbor and traffic from the neighbor is received by the local device Undetermined The state of the link between the port and its connected port cannot be determined either because no UDLD message was received or the UDL...

Page 231: ... existing copper cables without interfering with the network traffic updating the physical network or modifying the network infrastructure Features PoE provides the following features Eliminates the need to run 110 220 V AC power to all devices on a wired LAN Removes the necessity for placing all network devices next to power sources Eliminates the need to deploy double cabling systems in an enter...

Page 232: ...ports two modes Port Limit The maximum power the device agrees to supply is limited to the value the system administrator configures regardless of the Classification result Class Power Limit The maximum power the device agrees to supply is determined by the results of the Classification stage This means that it is set as per the Client s request PoE Devices Uplink ports may function as a Powered D...

Page 233: ... power limit according to the class of the device connected to each specific port Class Limit mode If at any time during the connectivity an attached PD requires more power from the device than the configured allocation allows no matter if the device is in Class Limit or Port Limit mode the device does the following Maintains the up down status of the PoE port link Turns off power delivery to the ...

Page 234: ...le them after changing the power configuration Traps Enable or disable traps If traps are enabled you must also enable SNMP and configure at least one SNMP Notification Recipient Power Trap Threshold Enter the usage threshold that is a percentage of the power limit An alarm is initiated if the power exceeds this value Software Version Displays the software version of the PoE chip The following cou...

Page 235: ...E Priority Example Given A 48 port device is supplying a total of 375 watts The administrator configures all ports to allocate up to 30 watts This results in 48 times 30 ports equaling 1440 watts which is too much The device cannot provide enough power to each port so it provides power according to the priority The administrator sets the priority for each port allocating how much power it can be g...

Page 236: ...the power in milliwatts allocated to the port Force Four Pair Select to force the spare pair to supply power This allows the usage of 60 Watts PoE to PDs that do not support CDP LLDP PoE negotiation Max Power Allocation This field appears only if the Power Mode set in the PoE Properties page is Power Limit Displays the maximum amount of power permitted on this port Negotiated Power Power allocated...

Page 237: ...tandard Displays the type of PoE supported such as 60W PoE and 802 3 AT PoE Operational Status Displays whether PoE is currently active on the port STEP 2 Select a port and click Edit STEP 3 Enter the value for the following field Interface Select the port to configure Administrative Status Enable or disable PoE on the port Time Range Select to enabled PoE on the port Time Range Name If Time Range...

Page 238: ...ption trend which is the average power consumption over time This is useful for monitoring and debugging of PoE behavior The device stores PoE port consumption values in units of watts over time This enables calculating and displaying the average PoE consumption over specified time of day week month and enables detecting trends Information is provided for each interface and for the device as a who...

Page 239: ...ers Overload Counter Number of overload conditions detected Short Counter Number of short conditions detected Denied Counter Number of denied conditions detected Absent Counter Number of absent conditions detected Invalid Signature Counter Number of invalid signature conditions detected The following operations can be performed in the main page Clear Event Counters Clear the displayed event counte...

Page 240: ...environmentally friendly and to reduce the power consumption of a device Green Ethernet is different from EEE in that Green Ethernet energy detect is enabled on all devices whereas only Gigabyte ports are enable with EEE The Green Ethernet feature can reduce overall power usage in the following ways Energy Detect Mode On an inactive link the port moves into inactive mode saving power while keeping...

Page 241: ...eed and PoE when they are not required and to enable the LEDs if they are needed debugging connecting additional devices etc On the System Summary page the LEDs that are displayed on the device board pictures are not affected by disabling the LEDs Power savings current power consumption and cumulative energy saved can be monitored The total amount of saved energy can be viewed as a percentage of t...

Page 242: ...nk speed is 1G or 10G When using 802 3az EEE systems on both sides of the link can disable portions of their functionality and save power during periods of no traffic 802 3az EEE supports IEEE 802 3 MAC operation at 100 Mbps and 1000 Mbps LLDP is used to select the optimal set of parameters for both devices If LLDP is not supported by the link partner or is disabled 802 3az EEE still be operationa...

Page 243: ...egotiation is disabled Link Level Discovery for 802 3az EEE In addition to the capabilities described above 802 3az EEE capabilities and settings are also advertised using frames based on the organizationally specific TLVs defined in Annex G of IEEE Std 802 1AB protocol LLDP LLDP is used to further optimize 802 3az EEE operation after auto negotiation is completed The 802 3az EEE TLV is used to fi...

Page 244: ...t is enabled by default c Select whether to enable or disable advertisement of 802 3az EEE capabilities through LLDP in 802 3 Energy Efficient Ethernet EEE LLDP it is enabled by default STEP 4 To see 802 3 EEE related information on the local device open the LLDP Local Information page and view the information in the 802 3 Energy Efficient Ethernet EEE block STEP 5 To display 802 3az EEE informati...

Page 245: ...re only displayed for devices that have GE ports EEE works only when ports are set to Auto negotiation The exception is that EEE is still functional even when Auto Negotiation is disabled but the port is at 1GB or higher The Short reach and Energy Detect features are always enabled on XG devices and cannot be disabled On devices with FE or GE ports these features can be enabled or disabled To defi...

Page 246: ...cient Ethernet EEE State of the port regarding the EEE feature Administrative Displays whether EEE was enabled Operational Displays whether EEE is currently operating on the local port This is a function of whether it has been enabled Administrative Status whether it has been enabled on the local port and whether it is operational on the local port LLDP Administrative Displays whether advertising ...

Page 247: ...Management Green Ethernet 200 Cisco 350 350X and 550X Series Managed Switches Firmware Release 2 4 ver 0 4 10 STEP 7 Click Apply The Green Ethernet port settings are written to the Running Configuration file ...

Page 248: ...Smartport Macros Overview The Smartport feature is designed to provide a means of quickly configuring network devices such as IP phones printers routers and Access Points APs Using this feature you create a Smartport macro which is simply a script containing CLI commands These CLI commands specify the device configuration After creating a Smartport macro it is applied to one or more devices The re...

Page 249: ...ed macro may be applied Smartport types refers to the types of devices which can be attached to Smartports The MTS device supports the following Smartport types named to describe the type of device that is attached to the interface Printer Desktop Guest Server Host IP Camera IP phone IP Phone Desktop Switch Router Wireless Access Point Each Smartport type is associated with two Smartport macros Th...

Page 250: ...artport macro is applied to the interface Auto Smartport Auto Smartport waits for a device to be attached to the interface before applying a configuration When a device is detected from an interface the Smartport macro if assigned that corresponds to the Smartport type of the attaching device is automatically applied A Smartport macro can be applied by its Smartport type statically from CLI and GU...

Page 251: ...efined as the absence of CDP and or LLDP advertisement from the device for a specified time period Unknown If a Smartport macro is applied to an interface and an error occurs the interface is assigned the Unknown status In this case the Smartport and Auto Smartport features do not function on the interface until you correct the error and applies the Reset action performed in the Interface Settings...

Page 252: ...ation with each Smartport type The macro applies the configuration and the anti macro removes it There are two types of Smartport macros Built In These are macros provided by the system One macro applies the configuration profile and the other removes it The macro names of the built in Smartport macros and the Smartport type they are associated with as follows macro name for example printer no_mac...

Page 253: ...t Global Operational state the interface Auto Smartport state and the Persistent Status are all Enable the Smartport type is set to this dynamic type Else the corresponding anti macro is applied and the interfaces status is set to Default Macro Failure and the Reset Operation A Smartport macro might fail if there is a conflict between the existing configuration of the interface and a Smartport mac...

Page 254: ...y assign a Smartport type to an interface from the Interface Settings page Auto Smartport When a device is detected from an interface the Smartport macro if any that corresponds to the Smartport type of the attaching device is automatically applied Auto Smartport is enabled by default globally and at the interface level In both cases the associated anti macro is run when the Smartport type is remo...

Page 255: ...rface in the Interface Settings page the device applies a Smartport macro to the interface based on the Smartport type of the attaching device Auto Smartport derives the Smartport types of attaching devices based on the CDP and or LLDP the devices advertise If for example an IP phone is attached to a port it transmits CDP or LLDP packets that advertise its capabilities After reception of these CDP...

Page 256: ...epeater 0x40 Ignore VoIP Phone 0x80 ip_phone Remotely Managed Device 0x100 Ignore CAST Phone Port 0x200 Ignore Two Port MAC Relay 0x400 Ignore LLDP Capabilities Mapping to Smartport Type Capability Name LLDP Bit Smartport Type Other 1 Ignore Repeater IETF RFC 2108 2 Ignore MAC Bridge IEEE Std 802 1D 3 Switch WLAN Access Point IEEE Std 802 11 MIB 4 Wireless Access Point Router IETF RFC 1812 5 Route...

Page 257: ...he Wireless Access Point Smartport type is used If one of the devices is an IP phone and another device is a host the ip_phone_desktop Smartport type is used If one of the devices is an IP phone desktop and the other is an IP phone or host the ip_phone_desktop Smartport type is used In all other cases the default Smartport type is used For more information about LLDP CDP refer to the Discover LLDP...

Page 258: ...d to the interfaces are effective between reboots only if the running configuration with the Smartport type applied at the interfaces is saved to the startup configuration file Error Handling When a smart port macro fails to apply to an interface you can examine the point of the failure in the Interface Settings page and reset the port and reapply the macro after the error is corrected from the In...

Page 259: ...inistrative Auto Smartport to Enable or Enable by Voice VLAN STEP 2 Select whether the device is to process CDP and or LLDP advertisements from connected devices STEP 3 Select which type of devices are to be detected in the Auto Smartport Device Detection field STEP 4 Click Apply STEP 5 To enable the Auto Smartport feature on one or more interfaces open the Interface Settings page STEP 6 Select th...

Page 260: ...tport macro that is associated with the selected Smartport Type STEP 4 Click Edit to open a new window in which you can bind user defined macros to the selected Smartport type and or modify the default values of the parameters in the macros bound to that Smartport type These parameter default values are used when Auto Smartport applies the selected Smartport type if applicable to an interface STEP...

Page 261: ...en encountered with security and storm control settings a wrong port type a typo or an incorrect command within the user defined macro or an invalid parameter setting Parameters are checked for neither type nor boundary prior to the attempt to apply the macro therefore an incorrect or invalid input to a parameter value will almost assuredly cause failure when applying the macro Configuring Smartpo...

Page 262: ...Smartport type based on LLDP LLDP MED advertisement Auto Smartport Device Detection Select each type of device for which Auto Smartport can assign Smartport types to interfaces If unchecked Auto Smartport does not assign that Smartport type to any interface STEP 3 Click Apply This sets the global Smartport parameters on the device Type Settings Use the Smartport Type Settings page to edit the Smar...

Page 263: ...acro Type Select whether the pair of macro and anti macro associated with this Smartport type is a Built in Macro see Built in Smartport Macros or a User Defined Macro User Defined Macro If desired select the user defined macro that is to be associated with the selected Smartport type The macro must have already been paired with an anti macro Pairing of the two macros is done by name and is descri...

Page 264: ...e necessary corrections have been made prior to clicking Apply See the workflow area in Common Smartport Tasks section for troubleshooting tips Reapply a Smartport macro to an interface In some circumstances you may want to reapply a Smartport macro so that the configuration at an interface is up to date For instance reapplying a switch Smartport macro at a device interface makes the interface a m...

Page 265: ...ng tips Proceed to reapply the macro after correcting the problem STEP 3 Resetting all Unknown interfaces to Default type Select the Smartport Type equals to checkbox Select Unknown Click Go Click Reset All Unknown Smartports Then reapply the macro as described above This performs a reset on all interfaces with type Unknown meaning that all interfaces are returned to the Default type After correct...

Page 266: ...erface is Auto Smartport Enabling Persistent at an interface eliminates the device detection delay that otherwise occurs Macro Parameters Displays the following fields for up to three parameters in the macro Parameter Name Name of parameter in macro Parameter Value Current value of parameter in macro This can be changed here Parameter Description Description of parameter STEP 3 Click Reset to set ...

Page 267: ...aximum number of allowed devices on the port Default Values are native_vlan Default VLAN max_hosts 10 the port type cannot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicas...

Page 268: ...n the port Default Values are native_vlan Default VLAN the port type cannot be detected automatically switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portf...

Page 269: ...etected automatically switchport mode access switchport access vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_guest no_guest macro description No guest no switchport access vlan no sw...

Page 270: ...ot be detected automatically the default mode is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control broadcast enable spanning tree portfast no_server no_server macro description No server no smartport switchport trunk native vlan smartp...

Page 271: ...e is trunk smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_host no_host macro description No host no smartport switchport trunk native vlan smartport swit...

Page 272: ...ss vlan native_vlan single host port security max 1 port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_ip_camera no_ip_camera macro description No ip_camera no switchport access vlan no switchport mode no port security no port security ...

Page 273: ...port switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable spanning tree portfast no_ip_phone no_ip_phone macro description no ip_phone macro keywords voice_vlan macro key description voice_vlan T...

Page 274: ...tive_vlan Default VLAN voice_vlan 1 max_hosts 10 the default mode is trunk smartport switchport trunk allowed vlan add voice_vlan smartport switchport trunk native vlan native_vlan port security max max_hosts port security mode max addresses port security discard trap 60 smartport storm control broadcast level 10 smartport storm control include multicast smartport storm control broadcast enable sp...

Page 275: ...switch macro keywords native_vlan voice_vlan macro key description native_vlan The untag VLAN which will be configured on the port voice_vlan The voice VLAN ID Default Values are native_vlan Default VLAN voice_vlan 1 the default mode is trunk smartport switchport trunk allowed vlan add all smartport switchport trunk native vlan native_vlan spanning tree link type point to point no_switch no_switch...

Page 276: ...ort switchport trunk native vlan native_vlan smartport storm control broadcast level 10 smartport storm control broadcast enable spanning tree link type point to point no_router no_router macro description No router macro keywords voice_vlan macro key description voice_vlan The voice VLAN ID no smartport switchport trunk native vlan smartport switchport trunk allowed vlan remove all no smartport s...

Page 277: ...94 A port on a device in a bridged network is a member of a VLAN if it can send data to and receive data from the VLAN A port is an untagged member of a VLAN if all packets destined for that port into the VLAN have no VLAN tag A port is a tagged member of a VLAN if all packets destined for that port into the VLAN have a VLAN tag A port can be a member of only one untagged VLAN but can be a member ...

Page 278: ...ged or untagged member of a VLAN The egress port Adds a VLAN tag to the frame if the egress port is a tagged member of the target VLAN and the original frame does not have a VLAN tag Removes the VLAN tag from the frame if the egress port is an untagged member of the target VLAN and the original frame has a VLAN tag VLAN Roles VLANs function at Layer 2 All VLAN traffic Unicast Broadcast Multicast r...

Page 279: ...regardless of whether it was originally c tagged or untagged The S tag enables this traffic to be treated as an aggregate within a provider bridge network where the bridging is based on the S tag VID S VID only The S Tag is preserved while traffic is forwarded through the network service provider s infrastructure and is later removed by an egress device An additional benefit of QinQ is that there ...

Page 280: ... community ports to promiscuous ports and to community ports of the same community There can be a single community VLAN for each community and multiple community VLANs can coexist in the system for the same private VLAN See Figure 1 and Figure 2 for samples of how these VLANs are used Host traffic is sent on isolated and community VLANs while server and router traffic is sent on the primary VLAN S...

Page 281: ...affic Flow The following describes traffic flow from hosts to servers routers or other hosts Figure 1 Traffic from Hosts to Servers Routers Isolated 1 Isolated 2 Server Community 1 Community 1 Promiscous Promiscous Isolated Isolated Community Community Community Community 1 Isolated vlan Community Vlan ...

Page 282: ...are Release 2 4 ver 0 4 12 The following describes server router traffic reply to host Figure 2 Server Router Traffic to Hosts Isolated 1 Isolated 2 Server Community 1 Community 1 Promiscous Promiscous Isolated Isolated Community Community Community Community 1 Primary VLAN ...

Page 283: ...added to the primary VLAN s FDB This is done to allow Multicast traffic to be forwarded rather than flooded on the primary VLAN The isolated and community VLANs continue to flood Multicast traffic DHCP snooping ARP Inspection IP Source Guard The system prevents adding or removing isolated or community VLANs to a private VLAN while the above features are enabled Features Not Supported on Private VL...

Page 284: ... be added to a LAG LACP Port must not be configured as port monitor destination Required Resources Since a private VLAN is composed of multiple 802 1Q VLANs the system requires additional resources for every secondary VLAN in a private VLAN The resources for the following features are allocated per VLAN within the private VLAN Dynamic MAC Addresses MAC addresses learned on primary VLANs are copied...

Page 285: ...r VLANs This section describes the GUI pages used to configure various types of VLANs This section describes Regular VLAN Overview VLAN Settings Interface Settings Port to VLAN Port VLAN Membership VLAN Translation GVRP Settings MAC Based VLAN Group Overview Subnet Based VLAN Groups Overview Protocol Based VLAN Groups Overview Regular VLAN Overview VLAN Configuration Workflow To configure VLANs ST...

Page 286: ...e following characteristics It is distinct non static non dynamic and all ports are untagged members by default It cannot be deleted It cannot be given a label It is automatically used as the voice VLAN for OUI enabled voice VLAN If a port is no longer a member of any VLAN the device automatically configures the port as an untagged member of the default VLAN A port is no longer a member of a VLAN ...

Page 287: ...g VID inclusive When using the Range function the maximum number of VLANs you can create at one time is 100 NOTE Some VLANs are required by the system for internal system usage and therefore cannot be created or configured by the user The system requires the following VLANs for internal usage One VLAN for each IP interface that is defined directly on an Ethernet port or on a port channel LAGs One ...

Page 288: ... or LAG and click Go Ports or LAGs and their VLAN parameters are displayed STEP 4 To configure a Port or LAG select it and click Edit STEP 5 Enter the values for the following fields Interface Select a Port LAG Switchport Mode Select either Layer 2 or Layer 3 Interface VLAN Mode Select the interface mode for the VLAN The options are General The interface can support all functions as defined in the...

Page 289: ... ingress Possible values are Admit All The interface accepts all types of frames untagged frames tagged frames and priority tagged frames Admit Tagged Only The interface accepts only tagged frames Admit Untagged Only The interface accepts only untagged and priority frames Ingress Filtering Available only in General mode Select to enable ingress filtering When an interface is ingress filtering enab...

Page 290: ...lated with another layer of S VLAN tag to which the original C VLAN ID is mapped Therefore packets transmitted on non edge interfaces frames are double tagged with an outer S VLAN tag and inner C VLAN tag The Service VLAN Tag is preserved while traffic is forwarded through the network service provider s infrastructure On an egress device the S VLAN tag is stripped when a frame is sent out on an ed...

Page 291: ... following protocols cannot be enabled on edge interfaces UNI user network interfaces STP GVRP The following features are not supported on edge interfaces UNI user network interfaces RADIUS VLAN assignment 802 1x VLAN SPAN RSPAN As a destination port with the network keyword or as a reflector port destination port with the network keyword or reflector port Applying VLAN tunneling on an interface r...

Page 292: ... on this interface is defined as an egress tagged interface The interface PVID is set to 4095 VLAN Mapping To configure a VLAN mapping STEP 1 Click VLAN Management VLAN Translation VLAN Mapping A table of previously defined VLAN mappings setting is displayed STEP 2 Select one of the following Mapping Types One to One Select this option to display and edit settings of the interface set to one to on...

Page 293: ...m the VLANs When a port is forbidden default VLAN membership that port is not allowed membership in any other VLAN An internal VID of 4095 is assigned to the port To forward the packets properly intermediate VLAN aware devices that carry VLAN traffic along the path between end nodes must either be manually configured or must dynamically learn the VLANs and their port memberships from Generic VLAN ...

Page 294: ...he interface is not allowed to join the VLAN even from GVRP registration When a port is not a member of any other VLAN enabling this option on the port makes the port part of internal VLAN 4095 a reserved VID Excluded The interface is currently not a member of the VLAN This is the default for all the ports and LAGs when the VLAN is newly created Tagged The interface is a tagged member of the VLAN ...

Page 295: ...on becomes active When changing to a different mode the settings for the mode changed from are saved and will be re applied if the mode is reactivated on the interface To assign a port to one or more VLANs STEP 1 Click VLAN Management Port VLAN Membership STEP 2 Select interface type Port or LAG and click Go The following fields are displayed for all interfaces of the selected type Interface Port ...

Page 296: ...d VLANs When the port is in General mode it will be an untagged member of this VLAN Tagged VLANs When the port is in General mode it will be a tagged member of these VLAN Forbidden VLANs When the port is in General mode the interface is not allowed to join the VLAN even from GVRP registration When a port is not a member of any other VLAN enabling this option on the port makes the port part of inte...

Page 297: ...rts and to community ports Isolated VLAN ID An isolated VLAN is used to allow isolated ports to send traffic to the primary VLAN Available Community VLANs Move the VLANs that you want to be community VLANs to the Selected Community VLANs list Community VLANs are used to allow Layer 2 connectivity from community ports to promiscuous ports and to community ports of the same community This is called ...

Page 298: ...P Settings To define GVRP settings for an interface STEP 1 Click VLAN Management GVRP Settings STEP 2 Select GVRP Global Status to enable GVRP globally STEP 3 Click Apply to set the global GVRP status STEP 4 Select an interface type Port or LAG and click Go to display all interfaces of that type STEP 5 To define GVRP settings for a port select it and click Edit STEP 6 Enter the values for the foll...

Page 299: ... protocol based VLAN has been defined the VLAN is taken from the Ethernet type protocol to VLAN mapping of the ingress interface PVID VLAN is taken from the port default VLAN ID MAC Based VLAN Group Overview MAC based VLAN classification enable packets to be classified according to their source MAC address You can then define MAC to VLAN mapping per interface You can define several MAC based VLAN ...

Page 300: ...in the prefix mask 48 bits Length Prefix of the MAC address Group ID Enter a user created VLAN group ID number STEP 4 Click Apply The MAC address is assigned to a VLAN group MAC Based Groups to VLAN See Table 1 for a description of the availability of this feature Ports LAGs must be in General mode To assign a MAC based VLAN group to a VLAN on an interface STEP 1 Click VLAN Management VLAN Groups ...

Page 301: ...To define a subnet based VLAN group 1 Define a subnet based group using the Subnet Based Groups page 2 For each required interface assign the subnet based group to a VLAN using Subnet Based Groups to VLAN page The interfaces cannot have a Dynamic VLAN DVA assigned to it In IS mode the setting can be saved even when the device is not in general mode to be activated later NOTE If the interface does ...

Page 302: ...currently defined mappings are displayed STEP 2 To associate an interface with a protocol based group and VLAN click Add The Group Type field displays the type of group being mapped STEP 3 Enter the following fields Interface Port or LAG number assigned to VLAN according to protocol based group Group ID Protocol group ID VLAN ID Attaches the specified group for this interface to a user defined VLA...

Page 303: ...based Protocol value Hex Displays the protocol value in hex Group ID Displays the protocol group ID to which the interface is added STEP 2 Click the Add Button STEP 3 Enter the following fields Encapsulation Protocol Packet type The following options are available Ethernet V2 If this is selected select the Ethernet Type LLC SNAP rfc1042 If this is selected enter the Protocol Value LLC If this is s...

Page 304: ...iate an interface with a protocol based group and VLAN click Add The Group Type field displays the type of group being mapped STEP 3 Enter the following fields Interface Port or LAG number assigned to VLAN according to protocol based group Group ID Protocol group ID VLAN ID Attaches the interface to a user defined VLAN ID STEP 4 Click Apply The protocol ports are mapped to VLANs and written to the...

Page 305: ...s support this deployment model In this model the VLAN used by the phones is determined by the network configuration There may or may not be separate voice and data VLANs The phones and VoIP endpoints register with an on premise IP PBX IP Centrex ITSP hosted Cisco CP 79xx SPA5xx phones and SPA8800 endpoints support this deployment model For this model the VLAN used by the phones is determined by t...

Page 306: ...ony OUI mode and a port is manually configured as a candidate to join the voice VLAN the device dynamically adds the port to the voice VLAN if it receives a packet with a source MAC address matching to one of the configured telephony OUIs An OUI is the first three bytes of an Ethernet MAC address For more information about Telephony OUI see Telephony OUI Auto Voice VLAN In Auto Voice VLAN mode the...

Page 307: ...n voice VLAN information received in neighbor CDP advertisement and voice VLAN information received in the Voice VLAN Discovery Protocol VSDP If desired you can activate Auto Voice VLAN immediately without waiting for a trigger When Auto Smartport is enabled depending on Auto Voice VLAN mode Auto Smartport is enabled when Auto Voice VLAN becomes operational If desired you can make Auto Smartport i...

Page 308: ... discovered or until the Auto Voice VLAN is restarted by the user When restarted the device resets the voice VLAN to the default voice VLAN and restarts the Auto Voice VLAN discovery When a new voice VLAN is configured discovered the device automatically creates it and replaces all the port memberships of the existing voice VLAN to the new voice VLAN This may interrupt or terminate existing voice ...

Page 309: ...oice streams using advanced QoS For Telephony OUI voice streams you can override the quality of service and optionally remark the 802 1p of the voice streams by specifying the desired CoS 802 1p values and using the remarking option under Telephony OUI Voice VLAN Constraints The following constraints exist Only one Voice VLAN is supported A VLAN that is defined as a Voice VLAN cannot be removed In...

Page 310: ... Dynamic Voice VLAN to Enable Auto Voice VLAN STEP 4 Select the Auto Voice VLAN Activation method NOTE If the device is currently in Telephony OUI mode you must disable it before you can configure Auto Voice Vlan STEP 5 Click Apply STEP 6 Configure Smartports as described in the Common Smartport Tasks section STEP 7 Configure LLDP CDP as described in the Discover LLDP and Discovery CDP sections re...

Page 311: ...o Voice VLAN Configure how Auto Voice VLAN is triggered To view and configure Voice VLAN properties STEP 1 Click VLAN Management Voice VLAN Properties The voice VLAN settings configured on the device are displayed in the Voice VLAN Settings Administrative Status block The voice VLAN settings that are actually being applied to the voice VLAN deployment are displayed in the Voice VLAN Settings Opera...

Page 312: ...ields are displayed Dynamic Voice VLAN Select this field to disable or enable voice VLAN feature in one of the following ways Enable Auto Voice VLAN Enable Dynamic Voice VLAN in Auto Voice VLAN mode Enable Telephony OUI Enable Dynamic Voice VLAN in Telephony OUI mode Disable Disable Auto Voice Vlan or Telephony OUI Auto Voice VLAN Activation If Auto Voice VLAN was enabled select one of the followi...

Page 313: ...nformation about the current voice VLAN and its source Auto Voice VLAN Status Displays whether Auto Voice VLAN is enabled Voice VLAN ID The identifier of the current voice VLAN Source Type Displays the type of source where the voice VLAN is discovered by the root device CoS 802 1p Displays CoS 802 1p values to be used by the LLDP MED as a voice network policy DSCP Displays DSCP values to be used b...

Page 314: ...ic User defined voice VLAN configuration defined on the device CDP UC that advertised voice VLAN configuration is running CDP LLDP UC that advertised voice VLAN configuration is running LLDP Voice VLAN ID The identifier of the advertised or configured voice VLAN Voice VLAN ID The identifier of the current voice VLAN CoS 802 1p The advertised or configured CoS 802 1p values that are used by the LLD...

Page 315: ...elephony OUI page to view existing OUIs and add new OUIs To configure Telephony OUI and or add a new Voice VLAN OUI STEP 1 Click VLAN Management Voice VLAN Telephony OUI The Telephony OUI page contains the following fields Telephony OUI Operational Status Displays whether OUIs are used to identify voice traffic CoS 802 1p Select the CoS queue to be assigned to voice traffic Remark CoS 802 1p Selec...

Page 316: ...ality of Service QoS values configured to the Voice VLAN are applied to all of the incoming frames that are received on the interface and are classified to the Voice VLAN Telephony Source MAC Address SRC The QoS values configured for the Voice VLAN are applied to any incoming frame that is classified to the Voice VLAN and contains an OUI in the source MAC address that matches a configured telephon...

Page 317: ...subscriber VLAN Subscribers who are not on the same data VLAN Layer 2 isolated and are connected to the device with different VLAN ID membership can share the same Multicast stream by joining the ports to the same Multicast VLAN ID The network port connected to the Multicast server is statically configured as a member in the Multicast VLAN ID The network ports which through subscribers communicate...

Page 318: ...d on an access port whether to associate it with the access VLAN or with the Multicast TV VLAN according to the following rules If an IGMP message is received on an access port with destination Multicast IP address that is associated with the port s Multicast TV VLAN then the software associates the IGMP packet with the Multicast TV VLAN Otherwise the IGMP message is associated to the access VLAN ...

Page 319: ...t Multicast TV VLAN Multicast Group to VLAN The following fields are displayed Multicast TV VLAN VLAN to which the Multicast packets are assigned Multicast Group Start First IPv4 address of the Multicast group Group End Final IPv4 address of the Multicast group range Group registration All Multicast group registration is dynamic Groups must be associated to Multicast VLAN statically but actual reg...

Page 320: ...Multicast addresses in the group range By range Specify an IPv4 Multicast address greater than the address in the Multicast Group Start field This will be the last address of the range STEP 3 Click Apply Multicast TV VLAN settings are modified and written to the Running Configuration file Port Multicast VLAN Membership To define the Multicast TV VLAN configuration STEP 1 Click VLAN Management Acce...

Page 321: ... that for each service type there is a unique VLAN ID in the CPE box All packets from the subscriber to the service provider network are encapsulated by the access device with the subscriber s VLAN configured as customer VLAN Outer tag or S VID except for IGMP snooping messages from the TV receivers which are associated with the Multicast TV VLAN VOD information that is also sent from the TV recei...

Page 322: ...ple video providers and each provider is assigned a different external VLAN CPE internal Multicast VLANs must be mapped to the Multicast provider external VLANs After a CPE VLAN is mapped to a Multicast VLAN it can participate in IGMP snooping To map CPE VLANs STEP 1 Click VLAN Management Customer Port Multicast TV VLAN CPE VLAN to VLAN STEP 2 Click Add STEP 3 Enter the following fields CPE VLAN E...

Page 323: ...ustomer Port Multicast TV VLAN Port Multicast VLAN Membership STEP 2 Select a VLAN from Multicast TV VLAN STEP 3 Select an interface from Interface Type STEP 4 The Candidate Customer Ports list contains all access ports configured on the device Move the required ports to the Member Customer Ports field STEP 5 Click Apply The new settings are modified and written to the Running Configuration file ...

Page 324: ...ain from Broadcast storms by selectively setting links to standby mode to prevent loops In standby mode these links temporarily stop transferring user data After the topology changes so that the data transfer is made possible the links are automatically re activated Loops occur when alternate paths exist between hosts Loops can cause switches to relay the same packets indefinitely resulting packet...

Page 325: ...ded to the port that is blocked This is not an efficient usage of bandwidth as the blocked port will always be unused MSTP solves this problem by enabling several STP instances so that it is possible to detect and mitigate loops separately in each instance This enables a port to be blocked for one or more STP instances but non blocked for other STP instances If different VLANs are associated with ...

Page 326: ...dresses are used to determine the Root Bridge The bridge priority value is provided in increments of 4096 For example 4096 8192 12288 and so on Hello Time Set the interval in seconds that a Root Bridge waits between configuration messages Max Age Set the interval in seconds that the device can wait without receiving a configuration message before attempting to redefine its own configuration Forwar...

Page 327: ...STP path Root Forwarding packets through this interface provides the lowest cost path for forwarding packets to the root device Designated The interface through which the bridge is connected to the LAN which provides the lowest root path cost from the LAN to the Root Bridge for the MST instance Alternate The interface provides an alternate path to the root device from the root interface Backup The...

Page 328: ...t Normally all root bridge ports are designated ports unless two or more ports of the root bridge are connected If the bridge receives superior BPDUs on a Root Guard enabled port Root Guard moves this port to a root inconsistent STP state This root inconsistent state is effectively equal to a listening state No traffic is forwarded across this port In this way Root Guard enforces the position of t...

Page 329: ...e port cannot forward traffic and cannot learn MAC addresses Learning The port is in Learning mode The port cannot forward traffic but it can learn new MAC addresses Forwarding The port is in Forwarding mode The port can forward traffic and learn new MAC addresses Designated Bridge ID Displays the bridge priority and the MAC address of the designated bridge Designated Port ID Displays the priority...

Page 330: ...ers whether the link partner using STP still exists and if so whether it has migrated to RSTP or MSTP If it still exists as an STP link the device continues to communicate with it by using STP Otherwise if it has been migrated to RSTP or MSTP the device communicates with it using RSTP or MSTP respectively STEP 6 Select an interface and click Edit STEP 7 Enter the parameters Interface Set the inter...

Page 331: ...gment Disabled The port is not participating in Spanning Tree Mode Displays the current Spanning Tree mode Classic STP or RSTP Fast Link Operational Status Displays whether the Fast Link Edge Port is enabled disabled or automatic for the interface The values are Enabled Fast Link is enabled Disabled Fast Link is disabled Auto Fast Link mode is enabled a few seconds after the interface becomes acti...

Page 332: ... what VLAN and associate these MSTP instances to VLAN s accordingly STEP 4 Configure the MSTP attributes by MSTP Properties MSTP Instance Settings VLANs to a MSTP Instance MSTP Properties The global MSTP configures a separate Spanning Tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree instance MSTP enables formation of MST regions that can run...

Page 333: ...he current MST configuration The field range is from 0 to 65535 Max Hops Set the total number of hops that occur in a specific region before the BPDU is discarded Once the BPDU is discarded the port information is aged out The field range is from 1 to 40 IST Master Displays the regions master STEP 5 Click Apply The MSTP properties are defined and the Running Configuration file is updated VLANs to ...

Page 334: ...t STEP 3 Enter the parameters MSTP Instance ID Select the MST instance VLANs Define the VLANs being mapped to this MST instance Action Define whether to Add map the VLAN to the MST instance or Remove it STEP 4 Click Apply The MSTP VLAN mappings are defined and the Running Configuration file is updated MSTP Instance Settings The MSTP Instance Settings page enables you to configure and view paramete...

Page 335: ...ion file is updated MSTP Interface Settings The MSTP Interface Settings page enables you to configure the port MSTP settings for every MST instance and to view information that has currently been learned by the protocol such as the designated bridge per MST instance To configure the ports in an MST instance STEP 1 Click Spanning Tree MSTP Interface Settings STEP 2 Enter the parameters Instance equ...

Page 336: ... from instance 0 and can be viewed on the STP Interface Settings page Port Role Displays the port or LAG role per port or LAG per instance assigned by the MSTP algorithm to provide STP paths Root Forwarding packets through this interface provides the lowest cost path for forwarding packets to the root device Designated Port The interface through which the bridge is connected to the LAN which provi...

Page 337: ... an internal port Designated Bridge ID Displays the ID number of the bridge that connects the link or shared LAN to the root Designated Port ID Displays the Port ID number on the designated bridge that connects the link or the shared LAN to the root Designated Cost Displays the cost of the port participating in the STP topology Ports with a lower cost are less likely to be blocked if STP detects l...

Page 338: ... in a frame arriving at the device is added to the Dynamic Address table This MAC address is retained for a configurable period of time If another frame with the same source MAC address does not arrive at the device before that time period expires the MAC entry is aged deleted from the table When a frame arrives at the device the device searches for a corresponding matching destination MAC address...

Page 339: ...ses STEP 2 Click Add STEP 3 Enter the parameters VLAN ID Select the VLAN ID for the port MAC Address Enter the interface MAC address Interface Select an interface unit slot port or LAG for the entry Status Select how the entry is treated The options are Permanent The system never removes this MAC address If the static MAC address is saved in the Startup Configuration it is retained after rebooting...

Page 340: ...tings STEP 2 Enter Aging Time The aging time is a value between the user configured value and twice that value minus 1 For example if you entered 300 seconds the aging time is between 300 and 599 seconds STEP 3 Click Apply The aging time is updated Dynamic Addresses To query dynamic addresses STEP 1 Click MAC Address Tables Dynamic Addresses STEP 2 In the Filter block you can enter the following q...

Page 341: ...for the following field Protocol Displays the protocol supported on the device called Peer STEP 2 Click Add STEP 3 Enter the values for the following fields MAC Address Select the MAC address to be reserved Frame Type Select a frame type based on the following criteria Ethernet V2 Applies to Ethernet V2 packets with the specific MAC address LLC Applies to Logical Link Control LLC packets with the ...

Page 342: ...ation dissemination Multicast applications are useful for dissemination of information to multiple clients where clients do not require reception of the entire content A typical application is a cable TV like service where clients can join a channel in the middle of a transmission and leave before it ends The data is sent only to relevant ports Forwarding the data only to the relevant ports conser...

Page 343: ...s G You can configure one of the following ways of forwarding Multicast frames MAC Group Address Based on the destination MAC address in the Ethernet frame NOTE One or more IP Multicast group addresses can be mapped to a MAC group address Forwarding based on the MAC group address can result in an IP Multicast stream being forwarded to ports that have no receiver for the stream IP Group Address Bas...

Page 344: ...me to all the ports that have registered to receive the Multicast stream using IGMP MLD Join messages The system maintains lists of Multicast groups for each VLAN and these lists manage the Multicast information that each port should receive The Multicast groups and their receiving ports can be configured statically or learned dynamically using IGMP or MLD protocols snooping Multicast Registration...

Page 345: ...ocal server but the router if one exists on that network does not support Multicast The device can be configured to be an IGMP Querier as a backup querier or in situation where a regular IGMP Querier does not exist The device is not a full capability IGMP Querier If the device is enabled as an IGMP Querier it starts after 60 seconds have passed with no IGMP traffic queries detected from a Multicas...

Page 346: ...of these upper bits are mapped to the same Layer 2 address since the lower 23 bits that are used are identical For example 234 129 2 3 is mapped to a MAC Multicast group address 01 00 5e 01 02 03 Up to 32 IP Multicast group addresses can be mapped to the same Layer 2 address For IPv6 this is mapped by taking the 32 low order bits of the Multicast address and adding the prefix of 33 33 For example ...

Page 347: ... upstream interface and one or more downstream interfaces These designations are explicitly configured there is no protocol to determine what type each interface is A proxy device performs the router portion of IGMP MLD on its downstream interfaces and the host portion of IGMP MLD on its upstream interface Only one tree is supported Forwarding Rules and Querier The following rules are applied A Mu...

Page 348: ...ddress is configured on the VLAN the operational forwarding method for IPv6 Multicast will be IP Group Address NOTE For IPv6 IP Group Address and Source Specific IP Group Address modes the device checks a match only for 4 bytes of the destination Multicast address and for the source address For the destination Multicast address the last 4 bytes of group ID are matched For the source address the la...

Page 349: ...efine and view MAC Multicast groups STEP 1 Click Multicast MAC Group Address STEP 2 Enter the Filter parameters VLAN ID Equals To Set the VLAN ID of the group to be displayed MAC Group Address Equals To Set the MAC address of the Multicast group to be displayed If no MAC GroupAddress is specified the page contains all the MAC Group Addresses from the selected VLAN STEP 3 Click Go and the MAC Multi...

Page 350: ...he interface to the Multicast group as a static member Dynamic Indicates that the interface was added to the Multicast group as a result of IGMP MLD snooping Forbidden Specifies that this port is not allowed to join this Multicast group on this VLAN None Specifies that the port is not currently a member of this Multicast group on this VLAN STEP 10 Click Apply and the Running Configuration file is ...

Page 351: ...the Multicast group is only defined by destination STEP 3 Click Go The results are displayed in the lower block STEP 4 Click Add to add a static IP Multicast Group Address STEP 5 Enter the parameters VLAN ID Defines the VLAN ID of the group to be added IP Version Select the IP address type IP Multicast Group Address Define the IP address of the new Multicast group Source Specific Indicates that th...

Page 352: ... group on this VLAN None Indicates that the port is not currently a member of this Multicast group on this VLAN This is selected by default until Static or Forbidden is selected STEP 9 Click Apply The Running Configuration file is updated IPv4 Multicast Configuration The following pages configure IPv4 Multicast Configuration IGMP Snooping IGMP Interface Settings IGMP VLAN Settings IGMP Proxy IGMP ...

Page 353: ...es STEP 2 To configure IGMP on an interface select a static VLAN and click Edit Enter the following fields IGMP Snooping Status Select to enable IGMP Snooping on the VLAN The device monitors network traffic to determine which hosts have asked to be sent Multicast traffic The device performs IGMP snooping only when IGMP snooping and Bridge Multicast filtering are both enabled MRouter Ports Auto Lea...

Page 354: ...se Interval IGMP Querier Version Select the IGMP version to be used if the device becomes the elected querier Select IGMPv3 if there are switches and or Multicast routers in the VLAN that perform source specific IP Multicast forwarding Otherwise select IGMPv2 Querier Source IPAddress Select the device source interface to be used in messages sent In MLD this address is selected automatically by the...

Page 355: ...Multicast packets are forwarded on the interface A value of 256 means that no Multicast packets are forwarded on the interface Configure the TTL threshold only on border routers Conversely routers on which you configure a TTL threshold value automatically become border routers STEP 2 Select an interface and click Edit Enter the values of the fields described above STEP 3 Click Apply The Running Co...

Page 356: ...automatically become border routers STEP 2 Select an interface and click Edit Enter the values of the fields described above STEP 3 Click Apply The Running Configuration file is updated IGMP Proxy To configure IGMP Proxy STEP 1 Click Multicast IPv4 Multicast Configuration IGMP Proxy STEP 2 Enter the following global fields IGMP Multicast Routing Select to enable IPv4 Multicast routing Downstream P...

Page 357: ... forwarding of IPv4 Multicast traffic from downstream interfaces Enable This disables forwarding from downstream interfaces STEP 5 Click Apply The Running Configuration file is updated The following fields are displayed for each IPv4 Multicast route Source Address Unicast source IPv4 address Group Address Multicast destination IPv4 address Incoming Interface Expected interface for a Multicast pack...

Page 358: ...obally enabled the device monitoring network traffic can determine which hosts have requested to receive Multicast traffic The device performs MLD Snooping only if both MLD snooping and Bridge Multicast filtering are enabled The MLD Snooping Table is displayed The fields displayed are described in the Edit page below In addition the following fields are displayed MLD Snooping Status Displays wheth...

Page 359: ...ies sent before the device assumes there are no more members for the group if the device is the elected querier Use Query Robustness x This value is set in MLD Interface Settings page The number in parentheses is the current query robustness value User Defined Enter a user defined value MLD Querier Status Select to enable this feature This feature is required if there is no Multicast router MLD Qu...

Page 360: ...to be used if this device is the elected querier Query Max Response Interval sec Delay used to calculate the Maximum Response Code inserted into the periodic general queries Last Member Query Interval msec Maximum Response Delay to be used if the device cannot read Max Response Time value from group specific queries sent by the elected querier Multicast TTL Threshold Enter the Time to Live TTL thr...

Page 361: ...de inserted into the periodic General Queries Last Member Query Interval msec Enter the Maximum Response Delay to be used if the device cannot read Max Response Time value from group specific queries sent by the elected querier Multicast TTL Threshold Enter the Time to Live TTL threshold of packets being forwarded on an interface Multicast packets with a TTL value less than the threshold are not f...

Page 362: ...he SSM range access list to FF3E 32 User defined access list Select the standard IPv6 access list name defining the SSM range These access lists are defined in Access Lists STEP 3 Click Apply The Running Configuration file is updated STEP 4 To add protection to a VLAN click Add and enter the following fields Upstream Interface Select the outgoing interface Downstream Interface Select the incoming ...

Page 363: ...ket from the source If the packet is not received on this interface it is discarded Outgoing Interfaces Interfaces through which packets will be forwarded Uptime Length of time in hours minutes and seconds that the entry has been in the IP Multicast routing table Expiry Time Length of time in hours minutes and seconds until the entry is removed from the IP Multicast routing table ...

Page 364: ...ntries on this page To query for a IP Multicast group STEP 1 Click Multicast IGMP MLD Snooping IP Multicast Group STEP 2 Set the type of snooping group for which to search IGMP or MLD STEP 3 Enter some or all of following query filter criteria Group Address equals to Defines the Multicast group MAC address or IP address to query Source Address equals to Defines the sender address to query VLAN ID ...

Page 365: ...her to display ports or LAGs STEP 3 Click Go The interfaces matching the query criteria are displayed STEP 4 For each port or LAG select its association type The options are as follows Static The port is statically configured as a Multicast router port Dynamic Display only The port is dynamically configured as a Multicast router port by a MLD IGMP query To enable the dynamic learning of Multicast ...

Page 366: ...ollowing VLAN ID equals to The VLAN ID the ports LAGs are to be displayed Interface Type equals to Define whether to display ports or LAGs STEP 3 Click Go The status of all ports LAGs are displayed STEP 4 Select the port LAG that is to be defined as Forward All by using the following methods Static The port receives all Multicast streams Forbidden Ports cannot receive any Multicast streams even if...

Page 367: ... either ports or LAGs STEP 3 Click Go STEP 4 Define the following Port LAG Displays the port or LAG ID Displays the forwarding status of the selected interface The possible values are Forwarding Enables forwarding of unregistered Multicast frames to the selected interface Filtering Enables filtering rejecting of unregistered Multicast frames to the selected interface STEP 5 Click Apply The setting...

Page 368: ... 1518 bytes If jumbo frames are enabled the L3 traffic MTU for traffic is limited to 9000 bytes The factory default IPv4 interface setting of the default VLAN is DHCPv4 This means that the device acts as a DHCPv4 client and sends out a DHCPv4 request during boot up If the device receives a DHCPv4 response from the DHCPv4 server with an IPv4 address it sends Address Resolution Protocol ARP packets ...

Page 369: ...en the device is acquiring an IP address and is currently using the factory default IP address 192 168 1 254 The same rules apply when a client must renew the lease prior to its expiration date through a DHCPREQUEST message With factory default settings when no statically defined or DHCP acquired IP address is available the default IP address is used When the other IP addresses become available th...

Page 370: ...te IP applications Communication remains intact as long as the remote applications can be reached from any one of the switch s active non loopback IP interfaces On the other hand if the IP address of an IP interface is used in communicating with remote applications the communication will be terminated when the IP interface is down A loopback interface does not support bridging it cannot be a membe...

Page 371: ...software Hardware routing provides wire speed Layer 3 traffic forwarding and software routing is limited by CPU capabilities and other tasks being performed by the software NOTE The device software consumes one VLAN ID VID for every IP address configured on a port or LAG The device takes the first VID that is not used starting from 4094 To configure the IPv4 addresses STEP 1 Click IP Configuration...

Page 372: ...leted and a duplicate IP address was detected Duplicated A duplicated IP address was detected for the default IP address Delayed The assignment of the IP address is delayed for 60 second if DHCP Client is enabled on startup in order to give time to discover DHCP address Not Received Relevant for DHCP Address When a DCHP Client starts a discovery process it assigns a dummy IP address 0 0 0 0 before...

Page 373: ...o the longest prefix match LPM algorithm A destination IPv4 address may match multiple routes in the IPv4 Static Route Table The device uses the matched route with the highest subnet mask that is the longest prefix match If more than one default gateway is defined with the same metric value the lowest IPv4 address from among all the configured default gateways is used To define an IP static route ...

Page 374: ...tination IP in IP address format Route Type Select the route type Reject Rejects the route and stops routing to the destination network via all gateways This ensures that if a frame arrives with the destination IP of this route it is dropped Selecting this value disables the following controls Next Hop IP Address Metric and IP SLA Track Remote Indicates that the route is a remote path Next Hop Rou...

Page 375: ...route is a local reject or remote route Next Hop Router IPAddress The next hop IP address Route Owner This can be one of the following options Default Route was configured by default system configuration Static Route was manually created Dynamic Route was created by an IP routing protocol DHCP Route was received from a DHCP server Directly Connected Route is a subnet to which the device is connect...

Page 376: ... Management and Interfaces ARP STEP 2 Enter the parameters ARPEntryAge Out Enter the number of seconds that dynamic addresses can remain in the ARP table A dynamic address ages out after the time it is in the table exceeds the ARP Entry Age Out time When a dynamic address ages out it is deleted from the table and only returns when it is relearned Clear ARP Table Entries Select the type of ARP entr...

Page 377: ...etwork NOTE The ARP proxy feature is only available when the device is in L3 mode The ARP Proxy is aware of the destination of traffic and offers another MAC address in reply Serving as an ARP Proxy for another host effectively directs LAN traffic destination to the host The captured traffic is then typically routed by the Proxy to the intended destination by using another interface or by using a ...

Page 378: ... Interface to where the device is to relay UDP Broadcast packets based on a configured UDP destination port The interface must be one of the IPv4 interfaces configured on the device STEP 4 Enter the UDP Destination Port number for the packets that the device is to relay Select a well known port from the drop down list or click the port radio button to enter the number manually STEP 5 Enter the Des...

Page 379: ...rview DHCP Relay relays DHCP packets to the DHCP server The device can relay DHCP messages received from VLANs that do not have IP addresses Whenever DHCP Relay is enabled on a VLAN without an IP address Option 82 is inserted automatically This insertion is in the specific VLAN and does not influence the global administration state of Option 82 insertion Transparent DHCP Relay For Transparent DHCP...

Page 380: ...y DHCP Relay can and does broadcast DHCP messages between DHCP client and DHCP server Unicast DHCP messages are passed by regular routers and therefore if DHCP Relay is enabled on a VLAN without an IP address an external router is needed DHCP Relay and only DHCP Relay relays DHCP messages to a DHCP server Interactions Between DHCPv4 Snooping DHCPv4 Relay and Option 82 The following tables describe...

Page 381: ...16 Option 82 Insertion Enabled Relay is sent with Option 82 Bridge no Option 82 is sent Packet is sent with the original Option 82 Relay is sent with Option 82 Bridge no Option 82 is sent Relay discards the packet Bridge Packet is sent with the original Option 82 DHCP Relay VLAN with IP Address DHCP Relay VLAN without IP Address ...

Page 382: ...nt without Option 82 Packet is sent with the originalOption 82 Relay inserts Option 82 Bridge no Option 82 is inserted Relay discards the packet Bridge Packet is sent with the original Option 82 Option 82 Insertion Enabled Relay is sent with Option 82 Bridge Option 82 is added if port is trusted behaves as if DHCPSnooping is not enabled Packet is sent with the originalOption 82 Relay is sent with ...

Page 383: ...thout Option 82 2 If reply does not originate in device packet is discarded Bridge Packet is sent with the original Option 82 Option 82 insertion enabled Packet is sent without Option 82 Relay Packet is sent without Option 82 Bridge Packet is sent with the Option 82 Relay discards Option 82 Bridge Packet is sent without Option 82 Relay Packet is sent without Option 82 Bridge Packet is sent with th...

Page 384: ...ts are untrusted To create a port as trusted use the Interface Settings page Packets from these ports are automatically forwarded Packets from trusted ports are used to create the Binding database and are handled as described below If DHCP Snooping is not enabled all ports are trusted by default Option 82 Insertion Disabled Packet is sent withoutOption 82 Packet is sent with the original Option 82...

Page 385: ...nding database STEP 3 Device forwards DHCPDISCOVER or DHCPREQUEST packets STEP 4 DHCP server sends DHCPOFFER packet to offer an IP address DHCPACK to assign one or DHCPNAK to deny the address request STEP 5 Device snoops packet If an entry exists in the DHCP Snooping Binding table that matches the packet the device replaces it with IP MAC binding on receipt of DHCPACK STEP 6 Device forwards DHCPOF...

Page 386: ...abase DHCPNAK Filter Same as DHCPOFFER Remove entry if exists DHCPDECLINE Check if there is information in the database If the information exists and does not match the interface on which the message was received the packet is filtered Otherwise the packet is forwarded to trusted interfaces only and the entry is removed from database Forward to trusted interfaces only DHCPRELEASE Same as DHCPDECLI...

Page 387: ...nooping STEP 1 Enable DHCP Snooping and or DHCP Relay in the Properties page STEP 2 Define the interfaces on which DHCP Snooping is enabled in the Interface Settings page STEP 3 Configure interfaces as trusted or untrusted in the DHCP Snooping Trusted Interfaces page STEP 4 Optional Add entries to the DHCP Snooping Binding database in the DHCP Snooping Binding Database page Properties To configure...

Page 388: ...CP server click Add STEP 4 Enter the IP address of the DHCP server and click Apply The settings are written to the Running Configuration file Interface Settings DHCP Relay and Snooping can be enabled on any interface or VLAN For DHCP relay to be functional an IP address must be configured on the VLAN or interface To enable DHCP Snooping Relay on specific interfaces STEP 1 Click IP Configuration IP...

Page 389: ...interface If a port is down the entries for that port are not deleted When DHCP Snooping is disabled for a VLAN the binding entries that collected for that VLAN are removed If the database is full DHCP Snooping continue to forward packets but new entries are not created Note that if the IP source guard and or ARP inspection features are active the clients that are not written in the DHCP Snooping ...

Page 390: ...ress of packet Interface Unit Slot Interface on which packet is expected Type The possible field values are Dynamic Entry has limited lease time Static Entry was statically configured Lease Time If the entry is dynamic enter the amount of time that the entry is to be active in the DHCP Database If there is no Lease Time check Infinite STEP 4 Click Apply The settings are defined and the device is u...

Page 391: ...e client must request another IP address This is done in the Network Pool page Dependencies Between Features It is impossible to configure DHCP server and DHCP client on the system at the same time meaning if one interface is DHCP client enabled it is impossible to enable DHCP server globally If DHCPv4 Relay is enabled the device cannot be configured as a DHCP server Default Settings and Configura...

Page 392: ...e device immediately begins functioning as a DHCP server However it does not assign IP addresses to clients until a pool is created Network Pool When the device is serving as a DHCP server one or more pools of IP addresses must be defined from which the device will allocate IP addresses to DHCP clients Each network pool contains a range of addresses that belong to a specific subnet These addresses...

Page 393: ...Pool Start and Address Pool End STEP 3 Enter the fields Pool Name Enter the pool name Subnet IPAddress Enter the subnet in which the network pool resides Mask Enter one of following Network Mask Check and enter the pool s network mask Prefix Length Check and enter the number of bits that comprise the address prefix Address Pool Start Enter the first IP address in the range of the network pool Addr...

Page 394: ...ypically not the best choice for larger networks because its preference for b node Broadcasts increases network traffic Peer to Peer Point to point communications with a NetBIOS name server are used to register and resolve computer names to IP addresses Broadcast IPBroadcast messages are used to register and resolve NetBIOS names to IP addresses SNTP Server IPAddress Option 4 Select one of the dev...

Page 395: ...permanent IP address that never changes This client is then known as a static host You can define up to 120 static hosts To manually allocate a permanent IP address to a specific client STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Server Static Hosts The static hosts are displayed The fields displayed are described in the Add page except for the following MAC Address Client Id...

Page 396: ...S name server available to the static host NetBIOS Node Type Option 46 Select how to resolve the NetBIOS name Valid node types are Hybrid A hybrid combination of b node and p node is used When configured to use h node a computer always tries p node first and uses b node only if p node fails This is the default Mixed A combination of b node and p node communications is used to register and resolve ...

Page 397: ...cket is received containing option 66 the TFTP server is returned as the value of option 66 To configure one or more DHCP options STEP 1 Click IP Configuration IPv4 Management and Interfaces DHCP Server DHCP Options The previously configured DHCP options are displayed STEP 2 To configure an option that has not been configured yet enter the field DHCP Server Pool Name equals to Select one of the po...

Page 398: ...e If the type is not Boolean enter the value to be sent for this code Description Enter a text description for documentation purposes STEP 4 Click Apply The Running Configuration file is updated Address Binding Use the Address Binding page to view and remove the IP addresses allocated by the device and their corresponding MAC addresses To view and or remove address bindings STEP 1 Click IP Configu...

Page 399: ... State The possible options are Allocated IP address has been allocated When a static host is configured its state is allocated Declined IP address was offered but not accepted therefore it is not allocated Expired The lease of the IP address has expired Pre Allocated An entry will be in pre allocated state from the time between the offer and the time that the DHCP ACK is sent from the client Then...

Page 400: ...he IPv4 infrastructure Tunneling uses either an ISATAP or manual mechanism see IPv6 Tunnel Tunneling treats the IPv4 network as a virtual IPv6 local link with mappings from each IPv4 address to a link local IPv6 address The device detects IPv6 frames by the IPv6 Ethertype In the same way as occurs in IPv4 routing frames addressed to the devices s MAC address but to an IPv6 address that is not know...

Page 401: ...Pv6 routing If this is not enabled the device acts as a host not a router and can receive management packets but cannot forward packets If routing is enabled the device can forward the IPv6 packets Enabling IPv6 routing will remove any address previously assigned to the device interface via the auto config operation from an RA sent by a Router in the network ICMPv6 Rate Limit Interval Enter how of...

Page 402: ...s of interfaces a tunnel interface is first created in the IPv6 Tunnel page and then IPv6 interface is configured on the tunnel in this page To define an IPv6 interface STEP 1 Click IP Configuration IPv6 Management and Interfaces IPv6 Interfaces STEP 2 Enter the parameters IPv6 Link Local Default Zone Select to enable defining a default zone This is an interface to be used to egress a link local p...

Page 403: ...resh unless the server sends this option or User Defined to set a value STEP 7 To configure additional IPv6 parameters enter the following fields IPv6 Address Auto Configuration Select to enable automatic address configuration from router advertisements sent by neighbors Number of DAD Attempts Enter the number of consecutive neighbor solicitation messages that are sent while Duplicate Address Dete...

Page 404: ...t When the button is pressed it displays the following fields for the information that was received from the DHCP server DHCP Operational Mode This displays Enabled if the following conditions are fulfilled The interface is Up IPv6 is enabled on it DHCPv6 client is enabled on it Stateful Service State Does the client receive stateful configuration information from a DHCP server Stateless Service S...

Page 405: ...dress The IPv6 packet is encapsulated between these addresses ISATAP Tunnels The device supports a single Intra Site Automatic Tunnel Addressing Protocol ISATAP tunnel An ISATAP tunnel is a point to multi point tunnel The source address is the IPv4 address or one of the IPv4 addresses of the device When configuring an ISATAP tunnel the destination IPv4 address is provided by the router Note that A...

Page 406: ...addresses and the destination IPv4 address 6 to 4 Tunnel 6 to 4 is an automatic tunneling mechanism that uses the underlying IPv4 network as a non Broadcast multiple access link layer for IPv6 Only one 6 to 4 tunnel is supported on a device The 6to4 tunnel is supported only when IPv6 Forwarding is supported IPv6 Multicast is not supported on the 6to4 tunnel interface The switch automatically creat...

Page 407: ...unnels are only relevant for the SG350XG SX350X device and the Sx550 family of devices For these devices the page displays the IPv6 Tunnel Table which displays and enables to create and configure IPv6 tunnels see steps below The Sx350 and Sx350X support only ISATAP tunnels For these devices the ISATAP tunnel is configured by clicking the Create ISATAP Tunnel button and entering information for the...

Page 408: ...ess for packets sent on the tunnel interface If the minimum IPv4 address is removed from the interface removed at all or moved to another interface the next minimum IPv4 address is selected as the local IPv4 address IPv4 Address Enter the IPv4 address of the interface that will be used as the source address of the tunnel Interface Select the interface whose IPv4 address will be used as the source ...

Page 409: ...her Duplicate Access Detection is active or not and the DAD state Preferred Lifetime Displays the entry preferred lifetime Valid Lifetime Displays the entry valid lifetime Expiry Time Displays the expiry time STEP 3 Click Add STEP 4 Enter values for the fields IPv6 Interface Displays the interface on which the IPv6 address is to be defined If an is displayed this means that the IPv6 interface is n...

Page 410: ...mum of 128 addresses at the interface Each address must be a valid IPv6 address that is specified in hexadecimal format by using 16 bit values separated by colons The following types of addresses can be added to various types of tunnels To manual tunnels Global or Anycast address To ISATAP tunnels Global address with EUI 6 6 to 4 tunnels None Prefix Length The length of the Global IPv6 prefix is a...

Page 411: ...tate that hosts should prefer one of the routers Include Advertisement Interval Option Select to indicate that an advertisement option will be used by the system This option indicates to a visiting mobile node the interval at which that node may expect to receive router advertisements The node may use this information in its movement detection algorithm Hop Limit This is the value that the router ...

Page 412: ...rtisement Lifetime Enter the remaining length of time in seconds that this router will continue to be useful as a default router A value of zero indicates that it is no longer useful as a default router Reachable Time Enter the amount of time that a remote IPv6 node is considered reachable in milliseconds User Defined or select the Use Default option to use the system default STEP 4 Click Apply to...

Page 413: ...he valid lifetime Infinite Select this value to set the field to 4 294 967 295 which represents infinity User Defined Enter a value Auto Configuration Enable automatic configuration of IPv6 addresses using stateless auto configuration on an interface and enable IPv6 processing on the interface Addresses are configured depending on the prefixes received in Router Advertisement messages Prefix Statu...

Page 414: ... made to insert more than a single user defined address An alert message appears when attempting to insert a non link local type address meaning fe80 To define a default router STEP 1 Click IP Configuration IPv6 Management and Interfaces IPv6 Default Router List This page displays the following fields for each default router Outgoing Interface Outgoing IPv6 interface where the default router resid...

Page 415: ...g and viewing the list of IPv6 neighbors on the IPv6 interface The IPv6 Neighbor Table also known as IPv6 Neighbor Discovery Cache displays the MAC addresses of the IPv6 neighbors that are in the same IPv6 subnet as the device This is the IPv6 equivalent of the IPv4 ARP Table When the device needs to communicate with its neighbors the device uses the IPv6 Neighbor Table to determine the MAC addres...

Page 416: ... predefined Delay Time If no reachability confirmation is received the state changes to Probe Probe Neighbor is no longer known to be reachable and Unicast Neighbor Solicitation probes are being sent to verify the reachability Router Specifies whether the neighbor is a router Yes or No STEP 2 To add a neighbor to the table click Add STEP 3 The following fields are displayed Interface Displays the ...

Page 417: ...o a full 32 bit length If only Lower Than is specified the range is from the value entered for the network length argument to the Lower Than If both the Greater Than and Lower Than arguments are entered the range is between the values used for Greater Than and Lower Than To create a prefix list STEP 1 Click IP Configuration IPv6 Management Interfaces IPv6 Prefix List STEP 2 Click Add STEP 3 Enter ...

Page 418: ...efined Maximum prefix length to be matched Description Enter a description of the prefix list STEP 4 Click Apply to save the configuration to the Running Configuration file IPv6 Access Lists The IPv6 access list can be used in MLD Proxy Global MLD Proxy Settings SSM IPv6 Access List page To create an access list STEP 1 Click IP Configuration IPv6 Management and Interfaces IPv6 Access List STEP 2 T...

Page 419: ...happen when the default router the device uses is not the router for traffic to which the IPv6 subnets that the device wants to communicate To view IPv6 routes Click IP Configuration IPv6 Management and Interfaces IPv6 Routes This page displays the following fields IPv6 Prefix IP route address prefix for the destination IPv6 subnet address Prefix Length IP route prefix length for the destination I...

Page 420: ...dd and enter the fields described above In addition enter the following field IPv6 Address Add the IPv6 address of the new route STEP 2 Click Apply to save the changes DHCPv6 Relay This section covers the following topics Global Destinations Interface Settings DHCPv6 Relay is used for relaying DHCPv6 messages to DHCPv6 servers It is defined in RFC 3315 When the DHCPv6 client is not directly connec...

Page 421: ...destination address to which client messages are forwarded The address type can be Link Local Global or Multicast All_DHCP_Relay_Agents_and_Servers DHCPv6 Server IPAddress Enter the address of the DHCPv6 server to which packets are forwarded IPv6 Interface Enter the destination interface on which packets are transmitted when the address type of the DHCPv6 server is Link Local or Multicast The inte...

Page 422: ...is updated Policy Based Routing Policy based Routing PBR provides a means for routing selected packets to a next hop address based on packet fields using ACLs for classification PBR lessens reliance on routes derived from routing protocols Route Maps Route maps are the means used to configure PBR To add a route map STEP 1 Click IP Configuration Policy Based Routing Route Maps STEP 2 Click Add and ...

Page 423: ...fix of FE80 is not routable and can be used for communication only on the local network Point to Point A point to point tunnel Interface Displays the outgoing Link Local interface Next Hop IP address of the next hop router STEP 3 Click Apply The Running Configuration file is updated Route Map Binding All packets coming in on an interface that is bound to a route map and match a route map rule are ...

Page 424: ... is down ACL Name ACL associated with route map Next Hop Where packets matching route map will be routed Next Hop Status Reachability of next hop Active The next hop IP address is reachable Unreachable The status is not active due to the fact that the next hop IP address is not reachable Not Direct The status is not active due to the fact that the next hop IP address is not directly attached to a ...

Page 425: ...mes The device appends this to all non fully qualified domain names NFQDNs turning them into FQDNs NOTE Do not include the initial period that separates an unqualified name from the domain name like cisco com STEP 3 In Advanced Mode enter the parameters DNS Select to designate the device as a DNS client which can resolve DNS names into IP addresses through one or more configured DNS servers Pollin...

Page 426: ...CPv4 or DHCPv6 Interface Interface of the server s IP address STEP 5 Up to eight DNS servers can be defined To add a DNS server click Add STEP 6 Enter the parameters IP Version Select Version 6 for IPv6 or Version 4 for IPv4 IPv6 Address Type Select the IPv6 address type if IPv6 is used The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local addr...

Page 427: ...face of the server s IP address for this domain Preference This is the order in which the domains are used from low to high This effectively determines the order in which unqualified names are completed during DNS queries Host Mapping Host name IP address mappings are stored in the Host Mapping Table DNS cache This cache can contain the following type of entries Static Entries These are mapping pa...

Page 428: ...Displays the results of attempts to access the host OK Attempt succeeded Negative Cache Attempt failed do not try again No Response There was no response but system can try again in future TTL Sec If this is a dynamic entry how long will it remain in the cache Remaining TTL Sec If this is a dynamic entry how much longer will it remain in the cache STEP 3 To add a host mapping click Add STEP 4 Ente...

Page 429: ...ess type is Link Local select the interface through which it is received Host Name Enter a user defined host name or fully qualified name Host names are restricted to the ASCII letters A through Z case insensitive the digits 0 through 9 the underscore and the hyphen A period is used to separate labels IPAddress Enter a single address or up to eight associated IP addresses IPv4 or IPv6 STEP 5 Click...

Page 430: ...ers advertise their routes to others passive routers listen and update their routes based on advertisements but do not advertise Typically routers run RIP in active mode while hosts use passive mode The default gateway is a static route and it is advertised by RIP in the same way as all other static routers if it is enabled by configuration When IP Routing is enabled RIP works fully When IP Routin...

Page 431: ...he specified interface If IP Routing is disabled RIP messages are not sent although when RIP messages are received they are used to update the routing table information NOTE RIP can only be defined on manually configured IP interfaces meaning that RIP cannot be defined on an interface whose IPaddress was received from a DHCPserver or whose IP address is the default IP address Offset Configuration ...

Page 432: ...to router rA is higher via router rC additional 4 to the cost path as opposed to the path via router rB additional 2 to the cost path Therefore forwarding traffic via routing rB is preferred To achieve this you configure a different offset metric value on each interface based on its line speed See Offset Configuration for more information Passive Mode Transmission of routing update messages over a...

Page 433: ...avoid listing every possible network in the routing updates when one or more closely connected routers in the system are prepared to transfer traffic to the networks that are not listed explicitly These routers create RIP entries for the address 0 0 0 0 just as if it a network to which they are connected You can enable the default route advertisement and configure it with a given metric Redistribu...

Page 434: ... the metric value of a route is equal to or less than 15 this value is used in the RIP protocol when advertising this route If the metric value of a static route is greater than 15 the route is not advertised to other routers using RIP User Defined Metric Causes RIP to use the metric value entered by the user Using RIP in Network with Non Rip Devices Static route configuration and connected interf...

Page 435: ...receiving router compares this key to its own configured key If they are the same it accepts the route MD5 Uses MD5 digest authentication Each router is configured with a set of secret keys This set is called a key chain Each key chain consists of one or more keys Each key has an identifying number key identifier key string and optionally a send lifetime and accept lifetime value The send lifetime...

Page 436: ...IP interface using the RIPv2 Properties page Configure the offset added to the metric for incoming routes on an IP interface using theRIPv2 Settings page Enable passive mode on an IP interface using the RIPv2 Settings page Control which routes are processed in the incoming outgoing routing updates by specifying an IP address list on the IP interface see Access Lists Advertise default route entries...

Page 437: ...is enabled select an option for the Redistribute Static Metric field The following options are available Default Metric Causes RIP to use the default metric value for the propagated static route configuration refer to Redistribution Feature Transparent Causes RIP to use the routing table metric as the RIP metric for the propagated static route configuration This results in the following behavior I...

Page 438: ... add a new IP interface click Add and enter the following fields IPAddress Select an IP interface defined on the Layer 2 interface Shutdown Keep RIP configuration on the interface but set the interface to inactive Passive Specifies whether sending RIP route update messages is allowed on the specified IP interface If this field is not enabled RIP updates are not sent passive Offset Specifies the me...

Page 439: ...s enabled select the Access List Name below Access List Name Select theAccess List name which includes a list of IPaddresses of RIP incoming routes filtering for a specified IP interface See Access List Settings for a description of access lists Distribute list Out Select to configure filtering on RIP outgoing routes for the specified IP address es in the Access List Name If this field is enabled ...

Page 440: ...re displayed for the peer router database Router IPAddress IP interface defined on the Layer 2 interface Bad Packets Received Specifies the number of bad packets identified by RIP on the IP interface Bad Routes Received Specifies the number of bad routes received and identified by RIP on the IP interface Bad routes mean that the route parameters are incorrect For example the IP destination is a Br...

Page 441: ...Source IPv4 Mask Enter the source IPv4 address mask type and value The following options are available Network Mask Enter the network mask Prefix Length Enter the prefix length Action Select an action for the access list The following options are available Permit Permit entry of packets from the IP address es in the access list Deny Reject entry of packets from the IP address es in the access list...

Page 442: ...v4 Mask Source IPv4 address mask type and value The following options are available Network Mask Enter the network mask for example 255 255 0 0 Prefix Length Enter the prefix length Action Action for the access list The following options are available Permit Permit entry of packets from the IP address es in the access list Deny Reject entry of packets from the IP address es in the access list STEP...

Page 443: ...iability of routing paths in the network In VRRP one physical router in a virtual router is elected as the master with the other physical router of the same virtual router acting as backups in case the master fails The physical routers are referred as VRRP routers The default gateway of a participating host is assigned to the virtual router instead of a physical router If the physical router that ...

Page 444: ... is responsible to route packets on behalf of the virtual router Clients 1 through 3 are configured with the default gateway IP address of 198 168 2 1 Client 4 is configured with the default gateway IP address of 198 168 2 2 NOTE The VRRP router that is the IP address owner responds processes packets whose destination is to the IP address The VRRP router that is the virtual router master but not t...

Page 445: ...hat happens if the virtual router master fails see VRRP Router Priority and Preemption The following shows a LAN topology in which VRRP is configured Routers A and B share the traffic to and from clients 1 through 4 and Routers A and B act as virtual router backups to each other if either router fails Load Sharing VRRP Topology In this topology two virtual routers are configured For virtual router...

Page 446: ...mands or through the web GUI as described in the Configuring VRRP section To configure a virtual router you configure its information such as the virtual router ID and its IP addresses on every VRRP routers that support the virtual router The following elements can be configured and customized Virtual Router Identification It must be assigned an identifier VRID and may be assigned a description Th...

Page 447: ...h the current master assumes responsibility A VRRP router supporting a virtual router must have an IP interface on the same IP subnet with respect to the IP addresses configured on the virtual router Assigning IP addresses to a virtual router is done according to the following rules All the VRRP routers supporting the virtual router must be configured with the same virtual router IP addresses in t...

Page 448: ...ortant aspect of the VRRP redundancy scheme is the ability to assign each VRRP router a VRRP priority The VRRP priority must express how efficiently a VRRP router would perform as a backup to a virtual router defined in the VRRP router If there are multiple backup VRRP routers for the virtual router the priority determines which backup VRRP router is assigned as master if the current master fails ...

Page 449: ... advertise interval is rounded down to the nearest second The minimum operational value is 1 sec Configuring VRRP Virtual Routers VRRP properties can be configured and customized in the VRRP Virtual Routers page STEP 1 Click IP Configuration IPv4 Management and Interfaces VRRP Virtual Routers The virtual routers are displayed The fields are described in the Add page except for the following fields...

Page 450: ...mpt Mode Select one of the following options True When a VRRP router is configured with higher priority than the current master is up it replaces the current master False Even if a VRRP router with a higher priority than the current master is up it does not replace the current master Only the original master when it becomes available replaces the backup Accept Control Mode Select one of the follow...

Page 451: ...s Owner The owner of the IP address of the virtual router Skew Time Time used in calculation of master down interval Master Down Interval Length of time that master unit has been down Master Backup Status Is the virtual router the master or backup Preempt Mode Is Preempt mode enabled Accept Control Mode Displays either Drop Accept Track Parameters Tracker Object Displays number of the SLA track th...

Page 452: ...s number of packets with invalid checksums Invalid Packet Length Displays number of packets with invalid packet lengths Invalid TTL Displays number of packets with invalid time to live values Invalid VRRP Packet Type Displays number of packets with invalid VRRP packet types Invalid VRRP ID Displays number of packets with invalid VRRP IDs Invalid Protocol Number Displays number of packets with inva...

Page 453: ...rity becomes the master router The VRRP protocol provides information on the state of the router itself but does not provide information about the states of the routes used by the router Therefore when using static routing a situation may exist where the master router continues to act as master router since it is functional although connectivity from the router to the default route next hop is los...

Page 454: ...ere along the path to the destination network In this case the device may use the static route although it does not actually provide connectivity to the destination network The IP SLA Object tracking for static routes provides a mechanism to track the connectivity to the destination network via the next hop specified in the static route If connectivity to the destination network is lost the route ...

Page 455: ...ssage Return Code After an operation has been finished the operation return code is set according to the following ICMP Echo reply has been received Return code is set to OK ICMP Error reply has been received Return code is set to error No any ICMP reply has been received Return code is set to error Configured Source IP address or Source interface is not accessible Return code is set to error Trac...

Page 456: ... STEP 3 Enter the following fields Operation Number Enter an unused number Operation State Select one of the following options Pending Operation is not activated Scheduled Operation is activated ICMP Echo Parameters Operation Target Select how the operation target is defined By IP Enter the operation target s IP address By host name Enter the operation target s host name NOTE If the IP SLAoperatio...

Page 457: ... the milliseconds argument be based on the sum of the maximum round trip time RTT value for the packets and the processing time of the IP SLAs operation STEP 4 Click Apply to save the settings SLA Tracks SLA tracks can be configured in this page SLA tracks are used to track IP SLA return codes and set a state of up or down accordingly STEP 1 Click IP Configuration IPv4 Management and Interfaces SL...

Page 458: ... IP Configuration IPv4 Management and Interfaces SLA ICMP Echo Statistics STEP 2 Enter the following fields SLA Operation Select one of the operations that were previously defined Refresh Rate Select the how often the statistics should be refreshed The available options are No Refresh Statistics are not refreshed 15 Sec Statistics are refreshed every 15 seconds 30 Sec Statistics are refreshed ever...

Page 459: ...50X and 550X Series Managed Switches Firmware Release 2 4 ver 0 4 20 To refresh these counters click Clear Counters Clears counters for selected operation Clear All Operations Counters Clears counters for all operations Refresh Refresh the counters ...

Page 460: ...so they appear twice in the list of topics below Permission to administer the device is described in the following sections Configuring TACACS Password Strength Management Access Method Management Access Authentication Key Management Secure Sensitive Data Management SSL Server SSH Server SSH Client Protection from attacks directed at the device CPU is described in the following sections TCP UDP Se...

Page 461: ...S server to provide centralized security for all of its devices In this way authentication and authorization can be handled on a single server for all devices in the organization The device can act as a TACACS client that uses the TACACS server for the following services Authentication Provides authentication of users logging onto the device by using usernames and user defined passwords Authorizat...

Page 462: ...using either a RADIUS or TACACS server The user configurable TCP port used for TACACS server accounting is the same TCP port that is used for TACACS server authentication and authorization The following information is sent to the TACACS server by the device when a user logs in or out Defaults The following defaults are relevant to this feature No default TACACS server is defined by default If you ...

Page 463: ...riorities of the available TACACS servers to select the TACACS server to be used by the device TACACS Client The TACACS page enables configuring TACACS servers Only users who have privilege level 15 on the TACACS server can administer the device Privilege level 15 is given to a user or group of users on the TACACS server by the following string in the user or group definition service exec priv lvl...

Page 464: ...interface STEP 4 Click Apply The TACACS default settings are added to the Running Configuration file These are used if the equivalent parameters are not defined in the Add page The information for each TACACS server is displayed in the TACACS Server Table The fields in this table are entered in the Add page except for the Status field This fields describes whether the server is connected or not to...

Page 465: ... can be entered in Encrypted or Plaintext form If you do not have an encrypted key string from another device enter the key string in plaintext mode and click Apply The encrypted key string is generated and displayed If you enter a key this overrides the default key string if one has been defined for the device on the main page Timeout for Reply Select User Defined and enter the amount of time tha...

Page 466: ...Authorization Performed at login After the authentication session is completed an authorization session starts using the authenticated username The RADIUS server then checks user privileges Accounting Enable accounting of login sessions using the RADIUS server This enables a system administrator to generate accounting reports from the RADIUS server The user configurable TCP port used for RADIUS se...

Page 467: ...ice uses the values in these fields Retries Enter the number of transmitted requests that are sent to the RADIUS server before a failure is considered to have occurred Timeout for Reply Enter the number of seconds that the device waits for an answer from the RADIUS server before retrying the query or switching to the next server Dead Time Enter the number of minutes that elapse before a non respon...

Page 468: ...rface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks Link Local Interface Select the link local interface if IPv6Address Type Link Local is selected from the list Server IPAddress Name Enter the RADIUS server by IP address or name Priority Enter the priority of the server The priority dete...

Page 469: ...ad time If you enter 0 minutes there is no dead time Usage Type Enter the RADIUS server authentication type The options are Login RADIUS server is used for authenticating users that ask to administer the device 802 1X RADIUS server is used for 802 1x authentication All RADIUS server is used for authenticating user that ask to administer the device and for 802 1X authentication STEP 6 Click Apply T...

Page 470: ... RADIUS Server RADIUS Server Keys STEP 2 Enter the default RADIUS keys if required Values entered in the Default Key are applied to all servers configured in the Add RADIUS Server page to use the default key Default Key Enter the default key string used for authenticating and encrypting between the device and the RADIUS client Select one of the following options Keep existing default key For speci...

Page 471: ...users that will be using the device as its RADIUS server STEP 1 Click Security RADIUS Server RADIUS Server Groups STEP 2 Click Add and enter the following fields Group Name Enter a name for the group Privilege Level Enter the management access privilege level of the group Time Range Check to enable applying a time range to this group Time Range Name If Time Range is selected select the time range ...

Page 472: ...aintext mode The encrypted key string is generated and displayed STEP 3 Click Apply The user definition is added to the Running Configuration file of the device RADIUS Server Accounting The Radius server saves the last accounting logs in a cycle file on FLASH These can be displayed To display RADIUS server accounting STEP 1 Click Security RADIUS Server RADIUS Server Accounting RADIUS accounting ev...

Page 473: ...f account viewed and the details received for it Not all fields are always displayed Event Time See above Event Type See above User Name See above Authentication Method See above NAS IPv4 Address See NAS Address above NAS Port Port used on the switch at the NAS address User Address See above Accounting Session Time See Event Time above Session Termination Reason Displays reason for session termina...

Page 474: ... this page depend on the type of account viewed and the details received for it Not all fields are always displayed Event Time See above User Name See above User Type See above Rejection Reason Reason that the user was rejected NAS IPAddress Address of the Network Accessed Server NAS The NAS is the switch running the RADIUS client To clear out the table of rejected users click Clear RADIUS Server ...

Page 475: ...equests from Unknown Addresses Number of incoming access requests from unknown NAS addresses Duplicate Incoming Access Requests Number of retransmitted packets received Sent Access Accepts Number of access accepts sent Sent Access Rejects Number of access rejects sent Sent Access Challenges Number of access challenges sent Incoming Malformed Access Requests Number of malformed access requests rece...

Page 476: ...Accounting Requests Number of incoming accounting requests not recorded Incoming Accounting Packets of Unknown Type Number of incoming accounting packets of unknown type To clear the counters click Clear Counters To refresh the counters click Refresh Password Strength The default username password is cisco cisco The first time that you log in with the default username and password you are required...

Page 477: ...lasses uppercase letters lowercase letters numbers and special characters available on a standard keyboard Are different from the current password Contain no character that is repeated more than three times consecutively Do not repeat or reverse the users name or any variant reached by changing the case of the characters Do not repeat or reverse the manufacturers name or any variant reached by cha...

Page 478: ... the 550 family This section describes how to configure key chains for applications and protocols such as RIP See IP Configuration RIPv2 for a description of how RIP uses key chain for authentication It covers the following topics Key Chain Key Settings Key Chain NOTE This feature is only supported on Sx550X SG550XG devices To create a new key chain STEP 1 Click Security Key Management Key Chain S...

Page 479: ...cept Life Time and Send Life Times always fail The following fields are relevant for the Accept Life Time and Send Life Time fields Start Date Enter the earliest date that the key identifier is valid Start Time Enter the earliest time that the key identifier is valid on the Start Date End Time Specifies the last date that the key identifier is valid Select one of the following options Infinite No ...

Page 480: ...lid The fields are only described for the Accept Life Time The Send Life Time has the same fields Accept Life Time Specifies when packets with this key are accepted Select one of the following options Always Valid No limit to the life of the key identifier User Defined Life of the key chain is limited If this option is selected enter values in the following fields Start Date Enter the earliest dat...

Page 481: ...s Profile Profile Rules Access profiles determine how to authenticate and authorize users accessing the device through various access methods Access Profiles can limit management access from specific sources Only users who pass both the active access profile and the management access authentication methods are given management access to the device There can only be a single access profile active o...

Page 482: ... access is denied When an attempt to access the device is in violation of the active access profile the device generates a SYSLOG message to alert the system administrator of the attempt If a console only access profile has been activated the only way to deactivate it is through a direct connection from the management station to the physical console port on the device For more information see Prof...

Page 483: ...d Select the management method for which the rule is defined The options are All Assigns all management methods to the rule Telnet Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access Secure Telnet SSH Users requesting access to the device that meets the SSH access profile criteria are permitted or denied access HTTP Users requesting ac...

Page 484: ...e number of bits that comprise the source IP address prefix STEP 7 Click Apply The access profile is written to the Running Configuration file You can now select this access profile as the active access profile Profile Rules Access profiles can contain up to 128 rules to determine who is permitted to manage and access the device and the access methods that may be used Each rule in an access profil...

Page 485: ...cure Telnet SSH Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access HTTP Assigns HTTP access to the rule Users requesting access to the device that meets the HTTP access profile criteria are permitted or denied Secure HTTP HTTPS Users requesting access to the device that meets the HTTPS access profile criteria are permitted or denied S...

Page 486: ...anagement Access Authentication You can assign authorization and authentication methods to the various management access methods such as SSH console Telnet HTTP and HTTPS The authentication can be performed locally or on a TACACS or RADIUS server If authorization is enabled both the identity and read write privileges of the user are verified If authorization is not enabled only the identity of the...

Page 487: ...nal Methods column and the Selected Methods column The first method selected is the first method that is used RADIUS User is authorized authenticated on a RADIUS server You must have configured one or more RADIUS servers For the RADIUS server to grant access to the web based configuration utility the RADIUS server must return cisco avpair shell priv lvl 15 TACACS User authorized authenticated on t...

Page 488: ...ned by a trusted CA To open an HTTPS session with a user created certificate perform the following actions 1 Generate a certificate 2 Request that the certificate be certified by a CA 3 Import the signed certificate into the device By default the device contains a certificate that can be modified HTTPS is enabled by default SSL Server Authentication Settings It may be required to generate a new ce...

Page 489: ...anization unit or department name Organization Name Specifies the organization name Location Specifies the location or city name State Specifies the state or province name Country Specifies the country name Certificate Request Displays the key created when the Generate Certificate Request button is pressed STEP 5 Click Generate Certificate Request This creates a key that must be entered on the Cer...

Page 490: ...sed to copy the certificate and RSA key pair to another device using copy paste When you click Display Sensitive Data as Encrypted the private keys are displayed in encrypted form To create a new self generated certificate on the device STEP 1 Click Security SSL Server SSL Server Authentication Settings STEP 2 Select a certificate and click Edit STEP 3 Enter the following fields as required Regene...

Page 491: ...services STEP 1 Click Security TCP UDP Services STEP 2 Enable or disable the following TCP UDP services on the displayed services HTTP Service Indicates whether the HTTP service is enabled or disabled HTTPS Service Indicates whether the HTTPS service is enabled or disabled SNMP Service Indicates whether the SNMP service is enabled or disabled Telnet Service Indicates whether the Telnet service is ...

Page 492: ...DP port through which the device is offering the service Application Instance The service instance of the UDP service For example when two senders send data to the same destination Storm Control This section describes storm control It covers the following topics Storm Control Storm Control Statistics When Broadcast Multicast or Unknown Unicast frames are received they are duplicated and a copy is ...

Page 493: ...selected the trap is not sent Shutdown on Storm Select to shutdown a port when a storm occurs on the port If this is not selected extra traffic is discarded Multicast Storm Control Storm Control State Select to enable Storm Control for Multicast packets Multicast Type Select one of the following types of Multicast packets on which to implement storm control All Enables storm control on all Multica...

Page 494: ...ot selected extra traffic is discarded STEP 4 Click Apply Storm control is modified and the Running Configuration file is updated Storm Control Statistics To view Storm Control statistics STEP 1 Click Security Storm Control Storm Control Statistics STEP 2 Select an interface STEP 3 Enter the Refresh Rate Select the how often the statistics should be refreshed The available options are No Refresh S...

Page 495: ...0 350X and 550X Series Managed Switches Firmware Release 2 4 ver 0 4 17 STEP 4 To clear all counters on all interfaces click Clear All Interfaces Counters To clear all counters on an interface select it and click Clear Interface Counters ...

Page 496: ...ning Secure Permanent Keeps the current dynamic MAC addresses associated with the port as long as the configuration was saved to the Start configuration file New MAC addresses can be learned as Permanent Secure ones up to the maximum addresses allowed on the port Relearning and aging are disabled Secure Delete on Reset Deletes the current dynamic MAC addresses associated with the port after reset ...

Page 497: ...rt Both re learning and aging of MAC addresses are enabled Secure Permanent Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port set by Max No of Addresses Allowed Relearning and aging are disabled Secure Delete on Reset Deletes the current dynamic MAC addresses associated with the port after reset New MAC addresses c...

Page 498: ... the Security 802 1X Authentication chapter for information about 802 1X authentication IP Source Guard IP Source Guard is a security feature that can be used to prevent traffic attacks caused when a host tries to use the IP address of its neighbor When IP Source Guard is enabled the device only transmits client IP traffic to IP addresses contained in the DHCP Snooping Binding database This includ...

Page 499: ...n by enabling IP Source Guard on the port When the ports status changes from DHCP untrusted to DHCP trusted the static IP address filtering entries remain in the Binding database but they become inactive Port security cannot be enabled if source IP and MAC address filtering is configured on a port IP Source Guard uses TCAM resources and requires a single TCAM rule per IP Source Guard address entry...

Page 500: ...e Settings page STEP 6 View entries to the Binding database in the IP Source Guard Binding Database page Properties To enable IP Source Guard globally STEP 1 Click Security IP Source Guard Properties STEP 2 Select Enable to enable IP Source Guard globally STEP 3 Click Apply to enable IP Source Guard Interface Settings If IP Source Guard is enabled on an untrusted port LAG DHCP packets allowed by D...

Page 501: ...ies to the DHCP Snooping Binding database the excessive entries are maintained in an inactive status Entries are deleted when their lease time expires and so inactive entries may be made active See DHCP Snooping Relay NOTE The Binding Database page only displays the entries in the DHCP Snooping Binding database defined on IP Source Guard enabled ports To view the DHCP Snooping Binding database and...

Page 502: ...become trusted Resource Problem TCAM resources are exhausted STEP 4 To see a subset of these entries enter the relevant search criteria and click Go ARP Inspection ARP enables IP communication within a Layer 2 Broadcast domain by mapping IP addresses to a MAC addresses A malicious user can attack hosts switches and routers connected to a Layer 2 network by poisoning the ARP caches of systems conne...

Page 503: ... Host B Host C can poison the ARP caches of the switch Host A and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA or IB and a MAC address of MC Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB which enables Host C intercepts that traffic Because Host C knows the true MAC addresses as...

Page 504: ...n untrusted interfaces the following logic is implemented Search the ARP access control rules for the packet s IP MAC addresses If the IP address is found and the MAC address in the list matches the packet s MAC address then the packet is valid otherwise it is not If the packet s IP address was not found and DHCP Snooping is enabled for the packet s VLAN search the DHCP Snooping Binding database f...

Page 505: ...on MAC address in the Ethernet header against the destination interface s MAC address This check is performed for ARP responses IPAddresses Compares the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 255 255 255 and all IP Multicast addresses Packets with invalid ARP Inspection bindings are logged and dropped Up to 1024 entries can be defined in the ARP Access Contr...

Page 506: ...the Access Control Rules for each VLAN in the VLAN Settings page Properties To configure ARP Inspection properties STEP 1 Click Security ARP Inspection Properties Enter the following fields ARP Inspection Status Select to enable ARP Inspection ARP Packet Validation Select to enable validation checks Log Buffer Interval Select one of the following options Retry Frequency Enable sending SYSLOG messa...

Page 507: ... the ARP trusted status of a port LAG STEP 1 Click Security ARP Inspection Interface Settings The ports LAGs and their ARP trusted untrusted status are displayed STEP 2 To set a port LAG as untrusted select the port LAG and click Edit STEP 3 Select Trusted or Untrusted and click Apply to save the settings to the Running Configuration file ARP Access Control To add entries to the ARP Inspection tab...

Page 508: ...PAddress IP address of packet MAC Address MAC address of packet STEP 4 Click Apply The settings are defined and the Running Configuration file is updated VLAN Settings To enable ARP Inspection on VLANs and associate Access Control Groups with a VLAN STEP 1 Click Security ARP Inspection VLAN Settings STEP 2 To enable ARP Inspection on a VLAN move the VLAN from the Available VLANs list to the Enable...

Page 509: ... in addition to end user TCP traffic SCT ensures that the device receives and processes management and protocol traffic no matter how much total traffic is received This is done by rate limiting TCP traffic to the CPU There are no interactions with other features SCT can be monitored in the Security Suite Settings page Details button Types of DoS Attacks The following types of packets or other str...

Page 510: ... client program to connect to handlers which are compromised systems that issue commands to zombie agents which in turn facilitate the DoS attack Agents are compromised via the handlers by the attacker Using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts Each handler can control up to a thousand agents Invasor Trojan A ...

Page 511: ...it An error message appears if you attempt to enable DoS Prevention when an ACL is defined on the interface or if you attempt to define an ACL on an interface on which DoS Prevention is enabled A SYN attack cannot be blocked if there is an ACL active on an interface Default Configuration The DoS Prevention feature has the following defaults The DoS Prevention feature is disabled by default SYN FIN...

Page 512: ... Prevention Enable that part of the feature that prevents attacks from Stacheldraht Distribution Invasor Trojan and Back Orifice Trojan STEP 5 If System Level Prevention or System Level and Interface Level Prevention is selected enable one or more of the following DoS Prevention options Stacheldraht Distribution Discards TCP packets with source TCP port equal to 16660 Invasor Trojan Discards TCP p...

Page 513: ... rule is unbound from the port every user defined interval SYN Protection Period To configure SYN protection STEP 1 Click Security Denial of Service Prevention SYN Protection STEP 2 Enter the parameters Block SYN FIN Packets Select to enable the feature All TCP packets with both SYN and FIN flags are dropped on all ports SYN Protection Mode Select between three modes Disable The feature is disable...

Page 514: ...orts a set of reserved Martian addresses that are illegal from the point of view of the IP protocol The supported reserved Martian addresses are Addresses defined to be illegal in the Martian Addresses page Addresses that are illegal from the point of view of the protocol such as loopback addresses including addresses within the following ranges 0 0 0 0 8 Except 0 0 0 0 32 as a Source Address Addr...

Page 515: ...ed List Select a well known IP address from the reserved list New IP Address Enter an IP address Mask Enter the mask of the IP address to define a range of IP addresses to reject The values are Network Mask Network mask in dotted decimal format Prefix Length Enter the prefix of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled STEP 5 Click Apply T...

Page 516: ...ion file is updated SYN Rate Protection The SYN Rate Protection page enables limiting the number of SYN packets received on the ingress port This can mitigate the effect of a SYN flood against servers by rate limiting the number of new connections opened to handle packets To define SYN rate protection STEP 1 Click Security Denial of Service Prevention SYN Rate Protection This page appears the SYN ...

Page 517: ... 2 Click Add STEP 3 Enter the parameters Interface Select the interface on which the ICMP filtering is being defined IPAddress Enter the IPv4 address for which the ICMP packet filtering is activated or select All Addresses to block ICMP packets from all source addresses If you enter the IP address enter either the mask or prefix length Network Mask Select the format for the subnet mask for the sou...

Page 518: ...mented IP packets is filtered or select All Addresses to block IP fragmented packets from all addresses If you enter the IP address enter either the mask or prefix length Network Mask Select the format for the subnet mask for the source IP address and enter a value in one of the field Mask Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format P...

Page 519: ...d Session Authentication Authenticated Hosts Locked Clients Web Authentication Customization Supplicant Credentials MAC Based Authentication Settings Overview 802 1x authentication restricts unauthorized clients from connecting to a LAN through publicity accessible ports 802 1x authentication is a client server model In this model network devices have the following specific roles Client or supplic...

Page 520: ...t to use MAC based or web based authentication Authenticator An authenticator is a network device that provides network services and to which supplicant ports are connected The following authentication methods are supported 802 1x based Supported in all authentication modes MAC based Supported in all authentication modes WEB based Supported only in multi sessions modes In 802 1x based authenticati...

Page 521: ... allows access to the network for stations connected to interfaces regardless of authentication results Open Access changes the normal behavior of blocking traffic on a authentication enabled port until authentication and authorization are successfully performed The default behavior of authentication is still to block all traffic except Extensible Authentication Protocol over LAN EAPoL However Ope...

Page 522: ...configured on the port Port Host Modes Ports can be placed in the following port host modes configured in the Host and Session Authentication page Single Host Mode A port is authorized if there is an authorized client Only one host can be authorized on a port When a port is unauthorized and the guest VLAN is enabled untagged traffic is remapped to the guest VLAN Tagged traffic is dropped unless it...

Page 523: ... port is set in the Port Authentication page Multi Sessions Mode Unlike the single host and multi host modes a port in the multi session mode does not have an authentication status This status is assigned to each client connected to the port Tagged traffic belonging to an unauthenticated VLAN is always bridged regardless of whether the host is authorized or not Tagged and untagged traffic from una...

Page 524: ... with the old method 802 1x Based Authentication The 802 1x based authenticator relays transparent EAP messages between 802 1x supplicants and authentication servers The EAP messages between supplicants and the authenticator are encapsulated into the 802 1x messages and the EAP messages between the authenticator and authentication servers are encapsulated into the RADIUS messages This is described...

Page 525: ... is enabled on a port the switch drops all traffic coming onto the port from unauthorized clients except for ARP DHCP and DNS packets These packets are allowed to be forwarded by the switch so that even unauthorized clients can get an IP address and be able to resolve the host or domain names All HTTP HTTPS over IPv4 packets from unauthorized clients are trapped to the CPU on the switch If Web bas...

Page 526: ...Running Configuration file Unauthenticated VLANs and the Guest VLAN Unauthenticated VLANs and the guest VLAN provide access to services that do not require the supplicant devices or ports to be authenticated and authorized The guest VLAN is the VLAN that is assigned to an unauthorized client You can configure the guest VLAN and one or more VLANs to be unauthenticated in the Properties page An unau...

Page 527: ...he TCAM rule and are bridged via the guest VLAN The tagged traffic belonging to an unauthenticated VLAN is bridged via the VLAN This mode cannot be configured on the same interface with policy based VLANs RADIUS VLAN Assignment or Dynamic VLAN Assignment An authorized client can be assigned a VLAN by the RADIUS server if this option is enabled in the Port Authentication page This is called either ...

Page 528: ...gned VLAN are bridged via this VLAN All other traffic not belonging to unauthenticated VLANs is discarded Multi Sessions Mode Untagged traffic and tagged traffic not belonging to the unauthenticated VLANs arriving from the client are assigned to the RADIUS assigned VLAN using TCAM rules and are bridged via the VLAN The following table describes guest VLAN and RADIUS VLAN Assignment support dependi...

Page 529: ...raps If seconds 0 traps are disabled If minimum time is not specified it defaults to 1 second for the restrict mode and 0 for the other modes Quiet Period The Quiet period is a period when the port single host or multi host modes or the client multi sessions mode cannot attempt authentication following a failed authentication exchange In single host or multi host mode the period is defined per por...

Page 530: ...ethod and port mode are supported Legend The port mode also supports the guest VLAN and RADIUS VLAN assignment N S The authentication method does not support the port mode NOTE You can simulate the single host mode by setting Max Hosts parameter to 1 in the Port Authentication page Authentication Methods and Port Modes Authentication Method Single host Multi host Multi sessions Device in L3 Device...

Page 531: ...ropped unless they belong to the RADIUS VLAN or to the unauthent icated VLANs Frames are bridged based on the static VLAN configuration Frames are bridged based on the static VLAN configurat ion Multi host Frames are re mapped to the guest VLAN Frames are dropped unless they belongs to the guest VLAN or to the unauthent icated VLANs Frames are dropped Frames are dropped unless they belongs to the ...

Page 532: ...The status of the port is changed to Up and supplicant is enabled on the port An EAP Identifier Request message is received on the port and the supplicant is enabled on the port 802 1x authenticator and supplicant cannot be configured at the same time on a single interface Full multi sessions Frames are re mapped to the guest VLAN Frames are re mappedto the guest VLAN unless they belongs to the un...

Page 533: ...d the Running Configuration file is updated STEP 9 Click Security 802 1X Authentication Port Authentication STEP 10 Select a port and click Edit STEP 11 Set the Administrative Port Control field to Auto STEP 12 Define the authentication methods STEP 13 Click Apply and the Running Configuration file is updated Workflow 2 To configure traps STEP 1 Click Security 802 1X Authentication Properties STEP...

Page 534: ...VLAN field STEP 3 Select the guest VLAN in the Guest VLAN ID field STEP 4 Configure the Guest VLAN Timeout to be either Immediate or enter a value in the User defined field STEP 5 Click Apply and the Running Configuration file is updated Workflow 6 To configure unauthenticated VLANs STEP 1 Click Security 802 1X Authentication Properties STEP 2 Select a VLAN and click Edit STEP 3 Select a VLAN STEP...

Page 535: ... The options are RADIUS None Perform port authentication first by using the RADIUS server If no response is received from RADIUS for example if the server is down then no authentication is performed and the session is permitted If the server is available but the user credentials are incorrect access is denied and the session terminated RADIUS Authenticate the user on the RADIUS server If no authen...

Page 536: ...erate a trap if 802 1x authentication succeeds MAC Authentication Failure Traps Select to generate a trap if MAC authentication fails MAC Authentication Success Traps Select to generate a trap if MAC authentication succeeds Supplicant Authentication Failure Traps Select to generate a trap if supplicant authentication fails Supplicant Authentication Success Traps Select to generate a trap if suppli...

Page 537: ...Either Authorized or Unauthorized for an interface on which 802 1x supplicant has been enabled Credentials Name of the credential structure used for the supplicant interface so the possible value is any name or N A if the supplicant is not enabled If a port has a configured supplicant credential name the value for the port control parameters is Supplicant This value overrides any other port contro...

Page 538: ...uest VLAN is activated globally on a given port the guest VLAN is automatically assigned to the unauthorized ports as an Untagged VLAN Open Access Select to successfully authenticate the port even though authentication fails See Open Access 802 1X Based Authentication Select to enable 802 1X authentication on the port MAC Based Authentication Select to enable port authentication based on the suppl...

Page 539: ...entication allowed on the interface Select either Infinite for no limit or User Defined to set a limit Max Hosts Enter the maximum number of authorized hosts allowed on the interface Select either Infinite for no limit or User Defined to set a limit NOTE Set this value to 1 to simulate single host mode for web based authentication in multi sessions mode Max Hosts Enter the maximum number of author...

Page 540: ...ritten to the Running Configuration file Host and Session Authentication The Host and Session Authentication page enables defining the mode in which 802 1X operates on the port and the action to perform if a violation has been detected See Port Host Modes for an explanation of these modes To define 802 1X advanced settings for ports STEP 1 Click Security 802 1X Authentication Host and Session Auth...

Page 541: ...ntil the device is rebooted Traps Select to enable traps Trap Frequency Defines how often traps are sent to the host This field can be defined only if multiple hosts are disabled STEP 4 Click Apply The settings are written to the Running Configuration file Authenticated Hosts To view details about authenticated users click Security 802 1X Authentication Authenticated Hosts This page displays the f...

Page 542: ...thorized Remaining Time Sec The time remaining for the port to be locked STEP 2 Select a port STEP 3 Click Unlock Web Authentication Customization This page enables designing web based authentication pages in various languages You can add up to 4 languages NOTE Up to 5 HTTP users and one HTTPS user can request web based authentication at the same time When these users are authenticated more users ...

Page 543: ...ge Displays the page s language Color Scheme Select one of the contrast options If the Custom color scheme is selected the following options are available Page Background Color Enter the ASCII code of the background color The selected color is shown in the Text field Page Text Color Enter the ASCII code of the text color The selected color is shown in the Text field Header and Footer Background Co...

Page 544: ...uration file STEP 5 Click Edit labeled 2 The following fields are displayed Invalid User Credentials Enter the text of the message to be displayed when the end user enters an invalid username or password Service Not Available Enter the text of the message to be displayed when the authentication service is not available STEP 6 Click Apply and the settings are saved to the Running Configuration file...

Page 545: ...e a terms and conditions text box Terms and Conditions Warning Enter the text of the message to be displayed as instructions to enter the terms and conditions Terms and Conditions Content Enter the text of the message to be displayed as terms and conditions STEP 10 Click Apply and the settings are saved to the Running Configuration file STEP 11 Edit labeled 5 The following fields are displayed Cop...

Page 546: ...entication Supplicant Credentials STEP 2 Click Add STEP 3 Enter the following fields Credential Name Name by which to identify the credential User Name Enter the user name associated with the credential name Description Enter text describing the user Password Select the type of password Encrypted or Plaintext and add the password STEP 4 Click Apply and the settings are saved to the Running Configu...

Page 547: ...MAC based username which is sent from the switch to the RADIUS server as part of the authentication process Group Size Number of ASCII characters between delimiters of the MAC address sent as a user name Group Separator Character used as a delimiter between the defined groups of characters in the MAC address Case Send user name in lower or upper case MAC Authentication Password Password Defines th...

Page 548: ...SD Rules SSD Properties Configuration Files SSD Management Channels Menu CLI and Password Recovery Configuring SSD Introduction SSD protects sensitive data on a device such as passwords and keys permits and denies access to sensitive data encrypted and in plain text based on user credentials and SSD rules and protects configuration files containing sensitive data from being tampered with In additi...

Page 549: ...ve data The SSD configuration parameters themselves are sensitive data and are protected under SSD All configuration of SSD is performed through the SSD pages that are only available to users with the correct permissions see SSD Rules SSD Rules SSD rules define the read permissions and default read mode given to a user session on a management channel An SSD rule is uniquely identified by its user ...

Page 550: ...he channel types supported are Secure Specifies the rule applies only to secure channels Depending on the device it may support some or all of the following secure channels Console port interface SCP SSH and HTTPS Insecure Specifies that this rule applies only to insecure channels Depending on the device it may support some or all of the following insecure channels Telnet TFTP and HTTP Secure XML ...

Page 551: ...ected to the read permission of the rule The following options exist but some might be rejected depending on the read permission If the user defined read permission for a user is Exclude for example and the default read mode is Encrypted the user defined read permission prevails Exclude Do not allow reading sensitive data Encrypted Sensitive data is presented in encrypted form Plaintext Sensitive ...

Page 552: ...o be a level 15 user SNMP users on Insecure XML and SNMP SNMPv1 v2 and v3 with no privacy channel are considered as All users SNMP community names are not used as user names to match SSD rules Access by a specific SNMPv3 user can be controlled by configuring an SSD rule with a user name matching the SNMPv3 user name There must always be at least one rule with read permission Plaintext Only or Both...

Page 553: ...rvers are sensitive data and are protected under SSD NOTE The user credential in the local authenticated database is already protected by a non SSD related mechanism If a user from a channel issues an action that uses an alternate channel the device applies the read permission and default read mode from the SSD rule that match the user credential and the alternate channel For example if a user log...

Page 554: ...mode returns to the default read mode of the SSD rule SSD Properties SSD properties are a set of parameters that in conjunction with the SSD rules define and control the SSD environment of a device The SSD environment consists of these properties Controlling how the sensitive data is encrypted Controlling the strength of security on configuration files Controlling how the sensitive data is viewed ...

Page 555: ...nfigured to be either the default passphrase or a user defined passphrase By default the local passphrase and default passphrase are identical It can be changed by administrative actions from either the Command Line Interface if available or the web based interface It is automatically changed to the passphrase in the startup configuration file when the startup configuration becomes the running con...

Page 556: ... with Configuration File Integrity Control It is recommended that Configuration File Integrity Control be enabled when a device uses a user defined passphrase with Unrestricted Configuration File Passprhase Control CAUTION Any modification made to a configuration file that is integrity protected is considered tampering A device determines whether the integrity of a configuration file is protected ...

Page 557: ...source content to the format of the destination file if the two files are of different formats File SSD Indicator When copying the Running or Startup Configuration file into a text based configuration file the device generates and places the file SSD indicator in the text based configuration file to indicate whether the file contains encrypted sensitive data plaintext sensitive data or excludes se...

Page 558: ...le the SSD configuration in the Startup Configuration file is reset to default If there is a passphrase in the SSD control block of the source configuration file the device will reject the source file and the copy fails if there is encrypted sensitive data in the file not encrypted by the key generated from the passphrase in the SSD control block If there is an SSD control block in the source conf...

Page 559: ...e neither verified nor enforced When copied from a source file the copy will fail if the passphrase in the source file is in plaintext If the passphrase is encrypted it is ignored When directly configuring the passphrase non file copy in the Running Configuration the passphrase in the command must be entered in plaintext Otherwise the command is rejected Configuration commands with encrypted sensi...

Page 560: ... should not manually change the file SSD indicator that conflicts with the sensitive data if any in the file Otherwise plaintext sensitive data may be unexpectedly exposed Sensitive Data Zero Touch Auto Configuration SSD Zero touch Auto Configuration is the auto configuration of target devices with encrypted sensitive data without the need to manually pre configure the target devices with the pass...

Page 561: ...t manually pre configuring the target devices with the passphrase This is zero touch because the target devices learn the passphrase directly from the configuration file NOTE Devices that are out of the box or in factory default states use the default anonymous user to access the SCP server SSD Management Channels Devices can be managed over management channels such as telnet SSH and web SSD categ...

Page 562: ...If SSD is supported this option is only permitted if the local passphrase is identical to the default passphrase If a device is configured with a user defined passphrase the user is unable to activate password recovery Configuring SSD The SSD feature is configured in the following pages SSD properties are set in the SSD Properties page SSD rules are defined in the SSD Rules page SSD Properties Onl...

Page 563: ...figuration File Passphrase Control Configuration File Integrity Control Select to enable this feature See Configuration File Integrity Control STEP 3 Select a Read Mode for the current session see Elements of an SSD Rule STEP 4 Click Apply The settings are saved to the Running Configuration file To change the local passphrase STEP 1 Click Change Local Passphrase and enter a new Local Passphrase De...

Page 564: ...this rule applies to all users Channel This defines the security level of the input channel to which the rule applies Select one of the following options Secure Indicates that this rule applies only to secure channels console SCP SSH and HTTPS not including the SNMP and XML channels Insecure Indicates that this rule applies only to insecure channels Telnet TFTP and HTTP not including the SNMP and ...

Page 565: ...e subjected to the read permission of the rule The following options exist but some might be rejected depending on the rule s read permission Exclude Do not allow reading the sensitive data Encrypted Sensitive data is presented encrypted Plaintext Sensitive data is presented as plaintext STEP 3 Click Apply The settings are saved to the Running Configuration file STEP 4 The following actions can be...

Page 566: ...ther by password or by public key At the same time the remote user as a SSH client can perform SSH Server Authentication to authenticate the device using the device public key fingerprint SSH Server can operate in the following modes By Internally generated RSA DSA Keys Default Setting An RSA and a DSA key are generated Users log on the SSH Server application and are automatically authenticated to...

Page 567: ...r authentication by password in the SSH User Authentication page STEP 3 Establish SSH sessions to the device from a SSH client application such as PUTTY Workflow3 Create an SSH session with SSH user authentication by public key with without bypassing management authentication perform the following steps STEP 1 Enable SSH server in the TCP UDP Services page STEP 2 Enable SSH User authentication by ...

Page 568: ...nabled If a user is defined in the local database and this user passed SSH Authentication using a public key the authentication by the local database username and password is skipped NOTE The configured authentication method for this specific management method console Telnet SSH and so on must be Local i e not RADIUS or TACACS See Management Access Method for more details Not Enabled After success...

Page 569: ...er a user name Key Type Select either RSA or DSA Public Key Copy the public key generated by an external SSH client application like PuTTY into this text box STEP 5 Click Apply to save the new user The following fields are displayed for all active users IPAddress IP address of the active user SSH User Name User name of the active user SSH Version Version of SSH used by the active user Cipher Ciphe...

Page 570: ...splayed for each key Key Type RSA or DSA Key Source Auto Generated or User Defined Fingerprint Fingerprint generated from the key STEP 2 Select either an RSA or DSA key STEP 3 You can perform any of the following actions Generate Generates a key of the selected type Edit Enables you to copy in a key from another device Enter the following fields Key Type As described above Public Key Enter the pub...

Page 571: ...tral SSH server When configuration files are transferred over a network Secure Copy SCP which is an application that utilizes the SSH protocol ensures that sensitive data such as username password cannot be intercepted Secure Copy SCP is used to securely transfer firmware boot image configuration files language files and log files from a central SCP server to a device With respect to SSH the SCP r...

Page 572: ...d When SSH server authentication is enabled the user must add an entry for the trusted servers to the Trusted SSH Servers Table This table stores the following information per each SSH Trusted server for a maximum of 16 servers and contains the following information Server IP address host name Server public key fingerprint When SSH server authentication is enabled the SSH client running on the dev...

Page 573: ... server This is not done through the device s management system although after a username has been established on the server the server password can be changed through the device s management system The username password must then be created on the device When the device tries to establish a SSH session to a SSH server the username password supplied by the device must match the username password o...

Page 574: ...her because of security considerations If there are multiple switches in the network the process of creating public private keys for all the switches might be time consuming because each public private key must be created and then loaded onto the SSH server To facilitate this process an additional feature enables secure transfer of the encrypted private key to all switches in the system When a pri...

Page 575: ...s hmac sha1 NOTE Compression algorithms are not supported Before You Begin The following actions must be performed before using the SCP feature When using the password authentication method a username password must be set up on the SSH server When using public private keys authentication method the public key must be stored on the SSH server Common Tasks This section describes some common tasks pe...

Page 576: ... password entered in the SSH User Authentication page can be used STEP 3 Set up a username password or modify the password on the remote SSH server This activity depends on the server and is not described here STEP 4 If the public private key method is being used perform the following steps a Select whether to use an RSA or DSA key create a username and then generate the public private keys b View...

Page 577: ...sted SSH Servers table SSH User Authentication Use this page to select an SSH user authentication method set a username and password on the device if the password method is selected or generate an RSA or DSA key if the public private key method is selected To select an authentication method and set the username password keys STEP 1 Click Security SSH Client SSH User Authentication STEP 2 Select an...

Page 578: ... Auto Generated or User Defined Fingerprint Fingerprint generated from the key STEP 6 To handle an RSA or DSA key select either RSA or DSA and perform one of the following actions Generate Generate a new key Edit Display the keys for copying pasting to another device Delete Delete the key Details Display the keys SSH Server Authentication To enable SSH server authentication and define the trusted ...

Page 579: ... IPv6 Address Type If the SSH server IP address is an IPv6 address select the IPv6 address type The options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface th...

Page 580: ...options are Link Local The IPv6 address uniquely identifies hosts on a single network link A link local address has a prefix of FE80 is not routable and can be used for communication only on the local network Only one link local address is supported If a link local address exists on the interface this entry replaces the address in the configuration Global The IPv6 address is a global Unicast IPV6 ...

Page 581: ... and how to configure it in the GUI It covers the following topics IPv6 First Hop Security Overview Router Advertisement Guard Neighbor Discovery Inspection DHCPv6 Guard Neighbor Binding Integrity IPv6 Source Guard Attack Protection Policies Global Parameters and System Defaults Common Tasks Default Settings and Configuration Configuring IPv6 First Hop Security through Web GUI ...

Page 582: ...or Discovery Protocol messages DHCPv6 messages and user data messages according to a number of different rules Figure 1 IPv6 First Hop Security Configuration A separate and independent instance of IPv6 First Hop Security runs on each VLAN on which the feature is enabled Abbreviations IPv6 Host End Node Monitor First Hop Switch IPv6 Router 370572 Name Description CPA message Certification Path Adve...

Page 583: ...d to each VLAN that is not attached to a user defined policy and the second one is connected to each interface and VLAN that is not attached to a user defined policy These policies cannot be attached explicitly by the user See Policies Global Parameters and System Defaults IPv6 First Hop Security Pipe If IPv6 First Hop Security is enabled on a VLAN the switch traps the following messages Router Ad...

Page 584: ...ure DHCPv6 Guard validates these messages drops illegal message and legal messages passes to the IPv6 Source Guard feature Trapped data messages are passed to the IPv6 Source Guard feature IPv6 Source Guard validates received messages trapped data messages NDP messages from ND Inspection and DHCPv6 messages from DHCPv6 Guard using the Neighbor Binding Table drops illegal messages and passes legal ...

Page 585: ...ity Perimeter IPv6 First Hop Security switches can form a perimeter separating untrusted area from trusted area All switches inside the perimeter support IPv6 First Hop Security and hosts and routers inside this perimeter are trusted devices For example in Figure 2 Switch B and Switch C are inner links inside the protected area Figure 2 IPv6 First Hop Security Perimeter ...

Page 586: ...trapped RA messages RA Guard supports the following functions Filtering of received RA CPA and ICMPv6 redirect messages Validation of received RA messages Filtering of Received RA CPA and IPCMv6 redirect Messages RA Guard discards RA and CPA messages received on interfaces whose role are not router The interface role is configured in the RA Guard Settings page Validation of RA messages RA Guard va...

Page 587: ...ard treats the trapped DHCPv6 messages DHCPv6 Guard supports the following functions Filtering of received DHCPv6 messages DHCP Guard discards DHCPv6 reply messages received on interfaces whose role is client The interface role is configured in the DHCPv6 Guard Settings page Validation of received DHCPv6 messages DHCPv6 Guard validates DHCPv6 messages that match the filtering based on the DHCPv6 G...

Page 588: ...fined in the RA Prefix table A global IPv6 address provided by a DHCPv6 server must belong to one of the prefixes defined in the IPv6 Prefix List in IPv6 Prefixes page If a message does not pass this verification it is dropped and a rate limited SYSLOG message is sent Neighbor Binding Table Overflow When there is no free space to create a new entry no entry is created and a SYSLOG message is sent ...

Page 589: ... same binding anchor to confirm that the originator owns the source IP address The exception to this rule occurs when an IPv6 host roams in the L2 domain or changes its MAC address In this case the host is still the owner of the IP address but the associated binding anchor might have changed To cope with this case the defined NBI NDP behavior implies verification of whether or not the host is stil...

Page 590: ... attached to an interface These policies are configured in the Neighbor Binding Settings page IPv6 Source Guard If Neighbor Binding Integrity NB Integrity is enabled IPv6 Source Guard validates the source IPv6 addresses of NDP and DHCPv6 messages regardless of whether IPv6 Source Guard is enabled If IPv6 Source Guard is enabled together with NB Integrity IPv6 Source Guard configures the TCAM to sp...

Page 591: ... addresses Attack Protection The section describes attack protection provided by IPv6 First Hop Security Protection against IPv6 Router Spoofing An IPv6 host can use the received RA messages for IPv6 router discovery Stateless address configuration A malicious host could send RA messages advertising itself as an IPv6 router and providing counterfeit prefixes for stateless address configuration RA ...

Page 592: ... DAD_NS message is forwarded only on inner interfaces If the given IPv6 address is known the DAD_NS message is forwarded only on the interface where the IPv6 address is bound An NA message is dropped if the target IPv6 address is bound with another interface Protection against DHCPv6 Server Spoofing An IPv6 host can use the DHCPv6 protocol for Stateless Information configuration Statefull address ...

Page 593: ...ed to apply the feature to packets Policies Policies contain the rules of verification that are performed on input packets They can be attached to VLANs and also to ports and LAGs If the feature is not enabled on a VLAN the policies have no effect Policies can be user defined or default policies see below Default Policies Empty default polices exist for each FHS feature and are by default attached...

Page 594: ... on an interface is built in the following way The rules configured in policies attached to the interface port or LAG on which the packet arrived are added to the set The rules configured in the policy attached to the VLAN are added to the set if they have not been added at the port level The global rules are added to the set if they have not been added at the VLAN or port level Rules defined at t...

Page 595: ...icy Attachment VLAN or Policy Attachment Port pages DHCPv6 Guard Work Flow STEP 1 In the DHCPv6 Guard Settings page enter the list of VLANs on which this feature is enabled STEP 2 In this same page set the global configuration values that are used if no values are set in a policy STEP 3 If required either configure a user defined policy or add rules to the default policies for the feature STEP 4 A...

Page 596: ...r add rules the default policies for the feature STEP 4 Add any manual entries required in the Neighbor Binding Table page STEP 5 Attach the policy to a VLAN port or LAG using either the Policy Attachment VLAN or Policy Attachment Port pages IPv6 Source Guard Work Flow STEP 1 In the IPv6 Source Guard Settings page enter the list of VLANs on which this feature is enabled STEP 2 If required either c...

Page 597: ...f required a policy can be added or the packet drop logging can be added to the system defined default policy To configure IPv6 First Hop Security common parameters STEP 1 Click Security IPv6 First Hop Security FHS Settings The currently defined polices are displayed For each policy its Policy Type is displayed which indicates whether it is a default or user defined policy STEP 2 Enter the followi...

Page 598: ...o jump to PolicyAttachment Port page where you can attach this policy to a port RA Guard Settings Use the RA Guard Settings page to enable the RA Guard feature on a specified group of VLANs and to set the global configuration values for this feature If required a policy can be added or the system defined default RA Guard policies can be configured in this page To configure RA Guard STEP 1 Click Se...

Page 599: ...fication of the advertised Other Configuration flag within an IPv6 RA Guard policy Inherited Feature is inherited from either the VLAN or system default client No Verification Disables verification of the advertised Other Configuration flag On Enables verification of the advertised Managed Other flag Off The value of the flag must be 0 RAAddress List Specify the list of addresses to filter Inherit...

Page 600: ...ry of Advertised Default Router Preference Low Specifies the minimum allowedAdvertised Default Router Preference value The following values are acceptable low medium and high see RFC4191 Medium Specifies the minimum allowed Advertised Default Router Preference value The following values are acceptable low medium and high see RFC4191 High Specifies the minimum allowed Advertised Default Router Pref...

Page 601: ...ard policies can be configured in this page To configure DHCPv6 Guard STEP 1 Click Security IPv6 First Hop Security DHCPv6 Guard Settings The currently defined polices are displayed For each policy its Policy Type is displayed which indicates whether it is a default or user defined policy STEP 2 Enter the following global configuration fields DHCPv6 Guard VLAN List Enter one or more VLANs on which...

Page 602: ...to the port for DHCPv6 Guard Inherited Role of device is inherited from either the VLAN or system default client Client Role of device is client Server Role of device is server Match Reply Prefixes Select to enable verification of the advertised prefixes in received DHCP reply messages within a DHCPv6 Guard policy Inherited Value is inherited from either the VLAN or system default no verification ...

Page 603: ...lower boundary of the hop count limit User Defined Verifies that the advertised preference value is less than or equal to this value STEP 6 Click Apply to add the settings to the Running Configuration file STEP 7 To attach this policy to an interface Attach Policy to VLAN Click to jump to Policy Attachment VLAN page where you can attach this policy to a VLAN Attach Policy to Interface Click to jum...

Page 604: ...lly enable checking source MAC address against the link layer address STEP 3 Click Apply to add the settings to the Running Configuration file STEP 4 If required click Add to create an ND Inspection policy STEP 5 Enter the following fields Policy Name Enter a user defined policy name Device Role Select one of the following to specify the role of the device attached to the port for ND Inspection In...

Page 605: ...jump to Policy Attachment VLAN page where you can attach this policy to a VLAN Attach Policy to Interface Click to jump to PolicyAttachment Port page where you can attach this policy to a port Neighbor Binding Settings The Neighbor Binding table is a database table of IPv6 neighbors connected to a device is created from information sources such as Neighbor Discovery Protocol NDP snooping This data...

Page 606: ... Stateless Only stateless auto configuration is allowed for global IPv6 bound from NDP messages Disable Binding from NDP messages is disabled Binding from DHCPv6 Messages Binding from DHCPv6 is allowed Neighbor Binding Entry Limits Specify the maximum number of Neighbor Binding entries per type of interface or address Entries Per VLAN Specifies the neighbor binding limit per VLAN Select either No ...

Page 607: ...resses Disable Disable validation of addresses Global Address Binding Configuration Inherit Address Binding Settings Enable to use the global address binding settings Binding from NDP Messages To change the global configuration of allowed configuration methods of global IPv6 addresses within an IPv6 Neighbor Binding policy select one of the following options Any Any configuration methods stateless...

Page 608: ... of VLANs If required a policy can be added or the system defined default IPv6 Source Guard policies can be configured in this page To configure IPv6 Source Guard STEP 1 Click Security IPv6 First Hop Security IPv6 Source Guard Settings The existing policies are displayed The fields are displayed below except for the Policy Type field This displays whether the policy is user defined or a default on...

Page 609: ...terface Policy Name Select the name of the policy to attach to the interface VLAN List Select the VLANs to which the policy is attached STEP 3 Click Apply to add the settings to the Running Configuration file Policy Attachment Port To attach a policy to one or more ports or LAGs STEP 1 Click Security IPv6 First Hop Security Policy Attachment Port The list of policies that are already attached are ...

Page 610: ...d the IPv6 address only available for dynamic entries Static Added manually NDP Learnt from Neighbor Discovery Protocol messages DHCP Learnt from DHCPv6 protocol messages State State of the entry Tentative The new host IPv6 address is under validation Since its lifetime is less than 1 sec its expiration time is not displayed Valid The host IPv6 address was bound Expiry Time Sec Remaining time in s...

Page 611: ...es Dynamic Only Clear only dynamic entries All Dynamic Static Clear static and dynamic entries STEP 3 The following fields are displayed for the exiting entries VLAN ID VLAN on which the prefixes are relevant IPv6 Prefix IPv6 prefix Prefix Length IPv6 prefix length Origin Entry is dynamic learned or static manually configured Autoconfig The prefix can be used for stateless configuration Expiry Tim...

Page 612: ... RA Prefix List RA prefix list to be matched Minimal Hop Limit Is minimum RA hop limit verification enabled Maximal Hop Limit Is maximum RA hop limit verification enabled Minimal Router Preference Is minimum router preference verification enabled Maximal Router Preference Is maximum router preference verification enabled DHCPv6 Guard Status DHCPv6 Guard State on Current VLAN Is DHCPv6 Guard enable...

Page 613: ...es are validated Max Entries per VLAN Maximum number of dynamic Neighbor Binding table entries per VLAN allowed Max Entries per Interface Maximum number of Neighbor Binding table entries per interface allowed Max Entries per MAC Address Maximum number of Neighbor Binding table entries per MAC address allowed IPv6 Source Guard Status IPv6 Source Guard State on Current VLAN Is IPv6 Source Guard enab...

Page 614: ... types of messages RA Router Advertisement messages REDIR Redirect messages NS Neighbor Solicitation messages NA Neighbor Advertisement messages RS Router Solicitation message DHCPv6 Messages The number of received and dropped messages are displayed for the following types of DHCPv6 messages ADV Advertise messages REP Reply messages REC Reconfigure messages REL REP Relay reply messages LEAS REP Le...

Page 615: ... entry This section contains the following topics Overview MAC Based ACLs Creation IPv4 based ACL Creation IPv6 Based ACL Creation ACL Binding Overview An Access Control List ACL is an ordered list of classification filters and actions Each single classification rule together with its action is called an Access Control Element ACE Each ACE is made up of filters that distinguish traffic groups and ...

Page 616: ... permits all the traffic If IGMP MLD snooping is enabled on a port bound with an ACL add ACE filters in the ACL to forward IGMP MLD packets to the device Otherwise IGMP MLD snooping fails at the port The order of the ACEs within the ACL is significant since they are applied in a first fit manner The ACEs are processed sequentially starting with the first ACE ACLs can be used for security for examp...

Page 617: ...tical characteristics as follows Layer 2 Packets Identical source and destination MAC addresses Layer 3 Packets Identical source and destination IP addresses Layer 4 Packets Identical source and destination IP and L4 port For any new flow the first packet that is trapped from a specific interface causes the generation of an informational SYSLOG message Additional packets from the same flow are tra...

Page 618: ...tocol 1 DSCP 54 ICMP Type Echo Reply ICMP code 5 trapped For an L4 packet 06 Jun 2013 09 53 46 3SWCOS I LOGDENYINETPORTS gi0 1 deny ACE IPv4 TCP 1 1 1 1 55 1 1 1 10 66 trapped Configuring ACLs This section describes how to create ACLs and add rules ACEs to them Creating ACLs Workflow To create ACLs and associate them with an interface perform the following 1 Create one or more of the following typ...

Page 619: ...ws Unbind the policy containing the class map from the interface by using Policy Binding Delete the class map containing the ACL from the policy using the Configuring a Policy Edit Delete the class map containing the ACL by using Defining Class Mapping Only then can the ACL be modified as described in this section MAC Based ACLs Creation MAC based ACLs are used to filter traffic based on Layer 2 f...

Page 620: ...ria Deny Drop packets that meet the ACE criteria Shutdown Drop packets that meet the ACE criteria and disable the port from where the packets received Such ports can be reactivated from the Error Recovery Settings page Logging Select to enable logging ACL flows that match the ACL rule Time Range Select to enable limiting the use of the ACL to a specific time range Time Range Name If Time Range is ...

Page 621: ...C Wildcard Mask Enter the mask to define a range of MAC addresses VLAN ID Enter the VLAN ID section of the VLAN tag to match 802 1p Select Include to use 802 1p 802 1p Value Enter the 802 1p value to be added to the VPT tag 802 1p Mask Enter the wildcard mask to be applied to the VPT tag Ethertype Enter the frame Ethertype to be matched STEP 5 Click Apply The MAC based ACE is saved to the Running ...

Page 622: ...L is saved to the Running Configuration file IPv4 Based ACE NOTE Each IPv4 based rule consumes one TCAM rule Note that the TCAM allocation is performed in couples such that for the first ACE 2 TCAM rules are allocated and the second TCAM rule is allocated to the next ACE and so forth To add rules ACEs to an IPv4 based ACL STEP 1 Click Access Control IPv4 Based ACE STEP 2 Select an ACL and click Go...

Page 623: ... create an ACE based on a specific protocol or protocol ID Select Any IPv4 to accept all IP protocols Otherwise select one of the following protocols from the drop down list Selected from list ICMP Internet Control Message Protocol IGMP Internet Group Management Protocol IP in IP IP in IP encapsulation TCP Transmission Control Protocol EGP Exterior Gateway Protocol IGP Interior Gateway Protocol UD...

Page 624: ...0 0000 0000 0000 1111 1111 which means that you match on the bits where there is 0 and don t match on the bits where there are 1 s You need to translate the 1 s to a decimal integer and you write 0 for each four zeros In this example since 1111 1111 255 the mask would be written as 0 0 0 255 Destination IPAddress Select Any if all destination address are acceptable or User defined to enter a desti...

Page 625: ...CP to match IP Precedence to match IP precedence is a model of TOS type of service that the network uses to help provide the appropriate QoS commitments This model uses the 3 most significant bits of the service type byte in the IP header as described in RFC 791 and RFC 1349 ICMP If the IP protocol of the ACL is ICMP select the ICMP message type used for filtering purposes Either select the messag...

Page 626: ...s the building elements of flow definitions for per flow QoS handling IPv6 Based ACL To define an IPv6 based ACL STEP 1 Click Access Control IPv6 Based ACL This window contains the list of defined ACLs and their contents STEP 2 Click Add STEP 3 Enter the name of a new ACL in the ACL Name field The names are case sensitive STEP 4 Click Apply The IPv6 based ACL is saved to the Running Configuration ...

Page 627: ...ibed in the System Time section Protocol Select to create an ACE based on a specific protocol Select Any IPv6 to accept all IP protocols Otherwise select one of the following protocols TCP Transmission Control Protocol Enables two hosts to communicate and exchange data streams TCPguarantees packet delivery and guarantees that packets are transmitted and received in the order they sent UDP User Dat...

Page 628: ...as for the Source Port field described above NOTE You must specify the IPv6 protocol for the ACL before you can configure the source and or destination port Flow Label Classifies IPv6 traffic based on a IPv6 Flow label field This is a 20 bit field that is part of the IPv6 packet header An IPv6 flow label can be used by a source station to label a set of packets belonging to the same flow Select An...

Page 629: ... to handle the message Select one of the following options to configure whether to filter on this code Any Accept all codes User Defined Enter an ICMP code for filtering purposes STEP 5 Click Apply ACL Binding When an ACL is bound to an interface port LAG or VLAN its ACE rules are applied to packets arriving at that interface Packets that do not match any of the ACEs in the ACL are matched to a de...

Page 630: ...ed Permit Any If packet does not match an ACL it is permitted forwarded NOTE Default Action can be defined only if IP Source Guard is not activated on the interface STEP 4 Click Apply The ACL binding is modified and the Running Configuration file is updated NOTE If no ACL is selected the ACL s that is previously bound to the VLAN are unbound ACL Binding Port To bind an ACL to a port or LAG STEP 1 ...

Page 631: ...If packet does not match an ACL it is denied dropped Permit Any If packet does not match an ACL it is permitted forwarded NOTE Default Action can be defined only if IP Source Guard is not activated on the interface Output ACL MAC Based ACL Select a MAC based ACL to be bound to the interface IPv4 Based ACL Select an IPv4 based ACL to be bound to the interface IPv6 Based ACL Select an IPv6 based ACL...

Page 632: ...ty of Service feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment This section covers the following topics QoS Features and Components General QoS Basic Mode QoS Advanced Mode QoS Statistics ...

Page 633: ...rt The classification is done by ACL Access Control List and only traffic that meets the ACL criteria is subject to CoS or QoS classification Assignment to Software Queues Assigns incoming packets to forwarding queues Packets are sent to a particular queue for handling as a function of the traffic class to which they belong See Queue Other Traffic Class Handling Attribute Applies QoS mechanisms to...

Page 634: ...ther the trust mode is CoS 802 1p or DSCP respectively Advanced Mode Per flow Quality of Service QoS In advanced mode a per flow QoS consists of a class map and or a policer A class map defines the kind of traffic in a flow and contains one or more ACLs Packets that match the ACLs belong to the flow A policer applies the configured QoS to a flow The QoS configuration of a flow may consist of egres...

Page 635: ...eue page If the device is in DSCP trusted mode incoming packets are put into the egress queues based on the their DSCP TC value STEP 5 Designate an egress queue to each CoS 802 1p priority If the device is in CoS 802 1 trusted mode all incoming packets are put into the designated egress queues according to the CoS 802 1p priority in the packets This is done by using the CoS 802 1p to a Queue page ...

Page 636: ...gress queues by using the Queue page STEP 4 Designate an egress queue to each IP DSCP TC value with the DSCP to Queue page If the device is in DSCP trusted mode incoming packets are put into the egress queues based on the their DSCP TC value STEP 5 Designate an egress queue to each CoS 802 1p priority If the device is in CoS 802 1 trusted mode all incoming packets are put into the designated egres...

Page 637: ...he QoS mode for the system Basic Advanced or Disabled as described in the QoS Modes section To enable QoS and select the QoS mode STEP 1 Click Quality of Service General QoS Properties STEP 2 Set the QoS mode The following options are available Disable QoS is disabled on the device Basic QoS is enabled on the device in Basic mode Advanced QoS is enabled on the device in Advanced mode STEP 3 Select...

Page 638: ...ow traffic in queues is handled Strict Priority and Weighted Round Robin WRR Strict Priority Egress traffic from the highest priority queue is transmitted first Traffic from the lower queues is processed only after the highest queue has been transmitted thus providing the highest level of priority of traffic to the highest numbered queue Weighted Round Robin WRR In WRR mode the number of packets s...

Page 639: ...e priority method and enter WRR data STEP 1 Click Quality of Service General Queue STEP 2 Enter the parameters Queue Displays the queue number Scheduling Method Select one of the following options Strict Priority Traffic scheduling for the selected queue and all higher queues is based strictly on the queue priority WRR Traffic scheduling for the selected queue is based on WRR The period time is di...

Page 640: ...ing CoS 802 1p to Queue and the Queue schedule method and bandwidth allocation Queue page it is possible to achieve the desired quality of service in a network The CoS 802 1p to Queue mapping is applicable only if one of the following exists The device is in QoS Basic mode and CoS 802 1p trusted mode The device is in QoS Advanced mode and the packets belong to flows that are CoS 802 1p trusted 802...

Page 641: ...it is mapped STEP 4 Click Apply Cancel or Restore Defaults 801 1p priority values to queues are mapped and the Running Configuration file is updated the changes that entered are canceled or previously defined values are restored DSCP to Queue The DSCP IP Differentiated Services Code Point to Queue page maps DSCP values to egress queues The DSCP to Queue Table determines the egress queues of the in...

Page 642: ...here 8 is highest DSCP 63 55 47 39 31 23 15 7 Queue 6 6 7 5 4 3 2 1 DSCP 62 54 46 38 30 22 14 6 Queue 6 6 7 5 4 3 2 1 DSCP 61 53 45 37 29 21 13 5 Queue 6 6 7 5 4 3 2 1 DSCP 60 52 44 36 28 20 12 4 Queue 6 6 7 5 4 3 2 1 DSCP 59 51 43 35 27 19 11 3 Queue 6 6 7 5 4 3 2 1 DSCP 58 50 42 34 26 18 10 2 Queue 6 6 7 5 4 3 2 1 DSCP 57 49 41 33 25 17 9 1 Queue 6 6 7 5 4 3 2 1 DSCP 56 48 40 32 24 16 8 0 Queue ...

Page 643: ...he incoming packet and its associated class STEP 2 Select the Output Queue traffic forwarding queue to which the DSCP value is mapped STEP 3 Click Apply The Running Configuration file is updated Queue 7 7 8 6 5 4 3 1 DSCP 60 52 44 36 28 20 12 4 Queue 7 7 8 6 5 4 3 1 DSCP 59 51 43 35 27 19 11 3 Queue 7 7 8 6 5 4 3 1 DSCP 58 50 42 34 26 18 10 2 Queue 7 7 8 6 5 4 3 1 DSCP 57 49 41 33 25 17 9 1 Queue ...

Page 644: ...Bits sec Displays the maximum bandwidth for the egress interface CBS Bytes Maximum burst size of data for the egress interface in bytes of data STEP 2 Select an interface and click Edit STEP 3 Select the Port or LAG interface STEP 4 Enter the fields for the selected interface Ingress Rate Limit Select to enable the ingress rate limit which is defined in the field below Not relevant for LAGs Ingres...

Page 645: ...ions meaning that their size is not included in the limit total Per queue Egress rate shaping can be disabled To define egress shaping per queue STEP 1 Click Quality of Service General Egress Shaping per Queue The Egress Shaping Per Queue page displays the rate limit and burst size for each queue STEP 2 Select an interface type Port or LAG and click Go STEP 3 Select a Port LAG and click Edit This ...

Page 646: ...e configured VLAN rate limit value is applied to each of the packet processors independently Devices with up to 24 ports have a single packet processor while devices of 48 ports or more have two packet processors Rate limiting is calculated separately for each packet processor in a unit and for each unit in a stack To define the VLAN ingress rate limit STEP 1 Click Quality of Service General VLAN ...

Page 647: ...lds iSCSI Status Select to enable processing iSCSI traffic on the device VPT Assignment Select either Unchanged to leave the original VLAN Priority Tag VPT value in the packet or enter a new value in the Reassigned field DSCPAssignment Select either Unchanged to leave the original DSCP value in the packet or enter a value in the Reassigned field Queue Assignment Enter the Queue assignment for iSCS...

Page 648: ...same byte count To configure TCP congestion avoidance STEP 1 Click Quality of Service General TCP Congestion Avoidance STEP 2 Click Enable to enable TCP congestion avoidance and click Apply QoS Basic Mode This section covers the following topics Overview Global Settings Interface Settings Overview In QoS Basic mode a specific domain in the network can be defined as trusted Within that domain packe...

Page 649: ...ngs The Global Settings page contains information for enabling Trust on the device see the Trust Mode field below This configuration is active when the QoS mode is Basic mode Packets entering a QoS domain are classified at the edge of the QoS domain To define the Trust configuration STEP 1 Click Quality of Service QoS Basic Mode Global Settings STEP 2 Select the Trust Mode while the device is in B...

Page 650: ... file is updated with the new DSCP values Interface Settings The Interface Settings page enables configuring QoS on each port of the device as follows QoS State Disabled on an Interface All inbound traffic on the port is mapped to the best effort queue and no classification prioritization takes place QoS State of the Port is Enabled Port prioritize traffic on ingress is based on the system wide co...

Page 651: ...he following characteristics and relationships A policy contains one or more class maps A class map defines a flow with one or more associating ACLs Packets that match only ACL rules ACE in a class map with Permit forward action are considered belonging to the same flow and are subjected to the same quality of services Thus a policy contains one or more flows each with a user defined QoS The QoS o...

Page 652: ...ingle policer each applying the QoS on the class map flow at a port independent of each other An aggregate policer applies the QoS to all its flow s in aggregation regardless of policies and ports Advanced QoS settings consist of three parts Definitions of the rules to match All frames matching a single group of rules are considered to be a flow Definition of the actions to be applied to frames in...

Page 653: ...st on the device Packets entering a QoS domain are classified at the edge of the QoS domain To define the Trust configuration STEP 1 Click Quality of Service QoS Advanced Mode Global Settings STEP 2 Select the Trust Mode while the device is in Advanced mode If a packet CoS level and DSCP tag are mapped to separate queues the Trust mode determines the queue to which the packet is assigned CoS 802 1...

Page 654: ...k DSCP Override Table to reconfigure DSCP DSCP Override Table STEP 1 Enter the following fields DSCP In Displays the DSCP value of the incoming packet that needs to be remarked to an alternative value DSCP Out Select the DSCP Out value to indicate the outgoing value is mapped STEP 2 Click Apply Out of Profile DSCP Remarking When a policer is assigned to a class maps flows you can specify the actio...

Page 655: ...DSCP In displays the DSCP value of the incoming packet that needs to be re marked to an alternative value You may filter according to Action Type to display all Exceed or Violate This enables you to configure remarking when the traffic exceeds wither the Exceed or Violate threshold of a policer STEP 2 Select the DSCP Out value to where the incoming value is mapped STEP 3 Click Apply The Running Co...

Page 656: ...s map is added by selecting one or two ACLs and giving the class map a name If a class map has two ACLs you can specify that a frame must match both ACLs or that it must match either one or both of the ACLs selected STEP 3 Enter the parameters Class Map Name Enter the name of a new class map Match ACL Type The criteria that a packet must match in order to be considered to belong to the flow define...

Page 657: ...d one or more flows An aggregation policer can support class maps from different policies An aggregate policer applies QoS to all its flow s in aggregation regardless of policies and ports An aggregate policer is created in the Aggregate Policer page An aggregate policer is defined if the policer is to be shared with more than one class Policers on a port cannot be shared with other policers in an...

Page 658: ...e Enter the name of the Aggregate Policer Ingress Committed Information Rate CIR Enter the maximum bandwidth allowed in bits per second See the description of this in the Bandwidth page Ingress Committed Burst Size CBS Enter the maximum burst size even if it goes beyond the CIR in bytes See the description of this in the Bandwidth page Exceed Action Select the action to be performed on incoming pa...

Page 659: ...be added by using the Policy Table page To add a QoS policy STEP 1 Click Quality of Service QoS Advanced Mode Policy Table This page displays the list of defined policies STEP 2 Click Policy Class Map Table to display the Policy Class Maps page or Click Add to open the Add Policy Table page STEP 3 Enter the name of the new policy in the New Policy Name field STEP 4 Click Apply The QoS policy profi...

Page 660: ...iority value and the CoS 802 1p to Queue Table to determine the egress queue of all the matching packets If the new value 0 63 is a DSCP use the new DSCP and the DSCP to Queue Table to determine the egress queue of the matching IP packets Otherwise use the new value 1 8 as the egress queue number for all the matching packets Traffic Redirect Select whether to redirect matching traffic If so select...

Page 661: ...IR Enter the CIR in Kbps See a description of this in the Bandwidth page Ingress Committed Burst Size CBS Enter the CBS in bytes See a description of this in the Bandwidth page Exceed Action Select the action assigned to incoming packets exceeding the CIR The options are Drop Packets exceeding the defined CIR value are dropped Out of Profile DSCP IP packets exceeding the defined CIR are forwarding...

Page 662: ... To define policy binding STEP 1 Click Quality of Service QoS Advanced Mode Policy Binding STEP 2 Select an Interface Type if required STEP 3 Click Go The policies for that interface are displayed STEP 4 Click Edit STEP 5 Select the following for the input policy interface Input Policy Binding Select to bind the input policy to the interface Policy Name Select the input policy being bound Default ...

Page 663: ... An Aggregate Policer is bound to one or more class maps from one or more policies Viewing Single Policer Statistics The Single Policer Statistics page indicates the number of in profile and out of profile packets that are received from an interface that meet the conditions defined in the class map of a policy NOTE This page is not displayed when the device is in Layer 3 mode To view policer stati...

Page 664: ...ity of Service QoS Statistics Aggregate Policer Statistics This page displays the following fields Aggregate Policer Name Policer on which statistics are based In Profile Bytes Number of in profile packets that received Out of Profile Bytes Number of out of profile packets that received STEP 2 Click Add STEP 3 Select an Aggregate Policer Name one of the previously created Aggregate Policers for wh...

Page 665: ...atistics are refreshed every 15 seconds 30 Sec Statistics are refreshed every 30 seconds 60 Sec Statistics are refreshed every 60 seconds To view a specific unit and interface select the unit interface in the filter and click Go To view a specific interface select the interface in the filter and click Go The Queues Statistics Table displays the following fields for each queue Queue Packets forward...

Page 666: ...ents Notification Filter Overview SNMP Versions and Workflow The device functions as SNMP agent and supports SNMPv1 v2 and v3 It also reports system events to trap receivers using the traps defined in the supported MIBs Management Information Base SNMPv1 and v2 To control access to the system a list of community entries is defined Each community entry consists of a community string and its access ...

Page 667: ...ompares the incoming message time stamp to the message arrival time Key Management Defines key generation key updates and key use The device supports SNMP notification filters based on Object IDs OID OIDs are used by the system to manage device features SNMP Workflow NOTE For security reasons SNMP is disabled by default Before you can manage the device via SNMP you must enable SNMP on the TCP UDP ...

Page 668: ... the SNMP engine by using the Engine ID page Either create a unique Engine ID or use the default Engine ID Applying an Engine ID configuration clears the SNMP database STEP 2 Optionally define SNMP view s by using the Views page This limits the range of OIDs available to a community or group STEP 3 Define groups by using the Groups page STEP 4 Define users by using the Users page where they can be...

Page 669: ...0G Stackable Managed Switch 9 6 1 91 12 9 SG550XG 8F8T SG550XG 8F8T 16 Port 10G Stackable Managed Switch 9 6 1 90 16 9 SG550XG 24T SG550XG 24T 24 Port 10GBase T Stackable Managed Switch 9 6 1 90 24 9 SG550XG 48T SG550XG 48T 48 Port 10GBase T Stackable Managed Switch 9 6 1 90 48 9 SG550XG 24F SG550XG 24F 24 Port 10G SFP Stackable Managed Switch 9 6 1 90 24 8 SF350 08 SF350 08 8 Port 10 100 Managed ...

Page 670: ...naged Switch 9 6 1 96 48 5 SF350 48MP SF350 48MP 48 Port 10 100 PoE Managed Switch 9 6 1 96 48 6 SG350 08PD SG350 8PD 8 Port 2 5G PoE Managed Switch 9 6 1 95 8 11 SG350 10 SG350 10 10 Port Gigabit Managed Switch 9 6 1 95 10 3 SG350 10P SG350 10P 10 Port Gigabit PoE Managed Switch 9 6 1 95 10 5 SG355 10P SG355 10P 10 Port Gigabit PoE Managed Switch 9 6 1 95 10 10 SG350 10MP SG350 10MP 10 Port Gigab...

Page 671: ... 28 Port Gigabit SFP Managed Switch 9 6 1 95 28 8 SG350 52 SG350 52 52 Port Gigabit Managed Switch 9 6 1 95 52 1 SG350 52P SG350 52P 52 Port Gigabit PoE Managed Switch 9 6 1 95 52 5 SG350 52MP SG350 52MP 52 port Gigabit PoE Managed Switch 9 6 1 95 52 6 SG350X 08PMD SG350X 8PMD 8 Port 2 5G PoE Stackable Managed Switch 9 6 1 94 8 12 SG350X 24 SG350X 24 24 Port Gigabit Stackable Managed Switch 9 6 1 ...

Page 672: ...9 6 1 94 48 5 SG350X 48MP SG350X 48MP 48 Port Gigabit PoE Stackable Managed Switch 9 6 1 94 48 6 SF550X 24 SF550X 24 24 Port 10 100 Stackable Managed Switch 9 6 1 92 24 1 SF550X 24P SF550X 24P 24 Port 10 100 PoE Stackable Managed Switch 9 6 1 92 24 5 SF550X 24MP SF550X 24MP 24 Port 10 100 PoE Stackable Managed Switch 9 6 1 92 24 6 SF550X 48 SF550X 48 48 Port 10 100 Stackable Managed Switch 9 6 1 9...

Page 673: ... 6 1 93 48 1 SG550X 48P SG550X 48P 48 Port Gigabit PoE Stackable Managed Switch 9 6 1 93 48 5 SG550X 48MP SG550X 48MP 48 Port Gigabit PoE Stackable Managed Switch 9 6 1 93 48 6 SX350X 08 SX350X 08 8 Port 10GBase T Stackable Managed Switch 9 6 1 1002 8 9 SX350X 12 SX350X 12 12 Port 10GBase T Stackable Managed Switch 9 6 1 1002 12 9 SX350X 24F SX350X 24F 24 Port 10G SFP Stackable Managed Switch 9 6 ...

Page 674: ...is comprised of the enterprise number and the default MAC address This engine ID must be unique for the administrative domain so that no two devices in a network have the same engine ID Local information is stored in four MIB variables that are read only snmpEngineId snmpEngineBoots snmpEngineTime and snmpEngineMaxMessageSize CAUTION When the engine ID is changed all configured users and groups ar...

Page 675: ...e ID table STEP 3 Click Apply The Running Configuration file is updated The Remote Engine ID table shows the mapping between IP addresses of the engine and Engine ID To add the IP address of an engine ID STEP 4 Click Add Enter the following fields Server Definition Select whether to specify the Engine ID server by IP address or name IP Version Select the supported IP format IPv6 Address Type Selec...

Page 676: ...r to a community which employs basic access mode through the Communities page To define SNMP views STEP 1 Click SNMP Views The following fields are displayed for each view Object ID Subtree Node in the MIB tree that is included or excluded in the view Object ID Subtree View Whether the node is Included or Excluded STEP 2 Click Add to define new views STEP 3 Enter the parameters View Name Enter a v...

Page 677: ...NMP agent However neither the frames nor the community string are encrypted Therefore SNMPv1 and SNMPv2 are not secure In SNMPv3 the following security mechanisms can be configured Authentication The device checks that the SNMP user is an authorized system administrator This is done for each frame Privacy SNMP frames can carry encrypted data Thus in SNMPv3 there are three levels of security No sec...

Page 678: ...uthentication nor the Privacy security levels are assigned to the group Authentication and No Privacy Authenticates SNMP messages and ensures the SNMP message origin is authenticated but does not encrypt them Authentication and Privacy Authenticates SNMP messages and encrypts them View Select to associate a view with either read write and or notify access privileges of the group limits the scope o...

Page 679: ...access rights to a group of users instead of to a single user A user can only belong to a single group To create an SNMPv3 user the following must first exist An engine ID must first be configured on the device This is done in the Engine ID page An SNMPv3 group must be available An SNMPv3 group is defined in the Groups page To display SNMP users and define new ones STEP 1 Click SNMP Users This pag...

Page 680: ...ion Method Select the Authentication method that varies according to the Group Name assigned If the group does not require authentication then the user cannot configure any authentication The options are None No user authentication is used MD5 A password that is used for generating a key by the MD5 authentication method SHA A password that is used for generating a key by the SHA Secure Hash Algori...

Page 681: ...or SNMP Admin In addition you can restrict the access to the community to only certain MIB objects by selecting a view defined in the Views page Advanced Mode The access rights of a community are defined by a group defined in the Groups page You can configure the group with a specific security model The access rights of a group are Read Write and Notify To define SNMP communities STEP 1 Click SNMP...

Page 682: ...pe Basic In this community type there is no connection to any group You can only choose the community access level Read Only Read Write or SNMP Admin and optionally further qualify it for a specific view By default it applies to the entire MIB If this is selected enter the following fields Access Mode Select the access rights of the community The options are Read Only Management access is restrict...

Page 683: ...vents as defined in RFC 1215 The system can generate traps defined in the MIB that it supports Trap receivers Notification Recipients are network nodes to which trap messages are sent by the device A list of notification recipients can be defined A trap receiver entry contains the IP address of the node and the SNMP credentials corresponding to the version that is included in the trap message When...

Page 684: ...source IPv4 address in inform messages for communication with IPv4 SNMP servers Traps IPv4 Source Interface Select the source interface whose IPv6 address will be used as the source IPv6 address in trap messages for communication with IPv6 SNMP servers Informs IPv6 Source Interface Select the source interface whose IPv4 address will be used as the source IPv4 address in inform messages for communi...

Page 685: ...ations on the recipient device Notification Type Select whether to send Traps or Informs If both are required two recipients must be created Timeout Enter the number of seconds the device waits before re sending informs Retries Enter the number of times that the device resends an inform request Community String Select from the pull down the community string of the trap manager Community String nam...

Page 686: ...ers Traps IPv6 Source Interface Select the source interface whose IPv6 address will be used as the source IPv6 address in trap messages for communication with IPv6 SNMP servers STEP 2 Click Add STEP 3 Enter the parameters Server Definition Select whether to specify the remote log server by IP address or name IP Version Select either IPv4 or IPv6 IPv6 Address Type Select the IPv6 address type if IP...

Page 687: ... much authentication is applied to the packet NOTE The Security Level here depends on which User Name was selected If this User Name was configured as No Authentication the Security Level is No Authentication only However if this User Name has assigned Authentication and Privacy on the Users page the security level on this screen can be either No Authentication or Authentication Only or Authentica...

Page 688: ...filter notification entries by Filter Name STEP 2 Click Add STEP 3 Enter the parameters Filter Name Enter a name between 0 30 characters Object ID Subtree Select the node in the MIB tree that is included or excluded in the selected SNMP filter The options to select the object are as follows Select from list Enables you to navigate the MIB tree Press the Up arrow to go to the level of the selected ...

Page 689: ...topology including detailed monitoring information for devices and traffic It enables viewing and modifying of configurations globally on all supported devices in the network The following topics are covered in this chapter SNA Sessions SNA Graphics Topology View Right Hand Information Panel Operations Overlays Tags Search Notifications Device Authorization Control DAC Services Saving SNA Settings...

Page 690: ...e credentials are rejected you are informed of the rejection and of the rejection reason After SNA loads it creates a management sessions with all other SNA capable devices in the network over a WebSocket using the same credentials used to login to SNA As a result only SNA capable devices using the same credentials provide data and management capabilities Other devices do not appear as SNA devices...

Page 691: ...and creates an HTTP management session over which it works The SNA session counts against the number of possible concurrent web management sessions for the SNA manager along with active regular web management sessions Session settings can be saved See Saving SNA Settings SNA Graphics The SNA feature is a graphical representation of the user network When the main page of the SNA is opened the scree...

Page 692: ...ches Firmware Release 2 4 ver 0 4 25 The SNA uses the following icons Table 1 Icon Descriptions Icon Description Cloud Backbone Device The orange number is the number of notifications existing for the device Offline Device greyed out Access Point Client PC Client Phone Client Unknown Device ...

Page 693: ...ight hand menu This menu displays as follow Click each icon to perform the following actions A Save configuration changes to the Startup Configuration file B Open the DAC List Management system See Device Authorization Control DAC C Open the Global Notifications page See Notifications Side Panel Connection Side Panel Multi Selection Side Panel Port Table 1 Icon Descriptions Icon Description A B C ...

Page 694: ...se 2 4 ver 0 4 25 D Open the follow window This window displays or enables the following Displays your Access Permissions Log out of system by clicking Log out Upgrade your permissions by clicking Upgrade Permission E Click to delete a selected device Topology View The topology view is the main view of the SNA ...

Page 695: ...ation on individual devices and the connections between them Figure 1 Topology View See Icon Descriptions for a description of the network nodes shown in Figure 1 Various overlays can be selected for the topology views that affect the graphic representation of elements See Topology Overlays The topology discovery mechanism uses information gathered from LLDP and CDP TLVs to identify devices in the...

Page 696: ... membership Spanning Tree PoE and Link Utilization If you select the VLAN Membership overlay for example VLAN information is added to the topological view See Overlays for a complete description Topology Elements The Topology view displays the following types of entities Devices Ports Connections Between Devices Clouds Devices Detected devices are represented as nodes in the topology view as shown...

Page 697: ...icon and displaying a device explorer screen for the device Devices in the network are separated into the following categories Backbone devices Basic skeleton of the network By default all switches routers and access points detected on the network are designated automatically as backbone devices After a backbone device is detected it remains on the topology map until it is manually removed If the ...

Page 698: ...ap until it is detected or added manually All tags associated with this device are lost and is not restored even if the device is detected again in the future SNA periodically attempts to connect to offline devices to verify if a managed or an SNA switch has come back online During these attempts an indication is displayed on the device Client devices End point clients of the network for example P...

Page 699: ...attached to it a appears on it Click on the to display the clients The following sample displays two clients connected to a cloud device a client PC device and a device of unknown type Ports To view the ports on a device select that device and then double click it This opens a panel that displays all ports of the device including all units if the device is in stack mode ...

Page 700: ...es Firmware Release 2 4 ver 0 4 25 The following attributes are displayed Port name Unit Admin Status Operational Status including disabling reason if the port is turned off by the software LAG membership Description if a description was defined Speed Switchport mode Port Utilization Rx and Tx ...

Page 701: ... the interface ID separated by a slash on a stacking device The slot of the port is not shown on SNA For example the gigabyte port gi1 0 12 is shown as GE1 12 in SNA Names of ports that are discovered on devices with no SNA capabilities are displayed as they are advertised with no manipulation Connections Between Devices Connections between devices are color coded depending on the current overlay ...

Page 702: ...two values You can enter a connection explorer for specific links by clicking on the link The following information is displayed Port s names on the two sides of the link if known LAG IDs if relevant Basic information about the connected devices device type device name IP Link bandwidth for each link comprising the connection Clouds Clouds are sections of the network that SNA cannot map in detail ...

Page 703: ...tion Panel The area to the right of the topology view displays an information panel which displays attributes of the selected elements and enables performing actions on them The right hand information panel contains the following blocks Header Block Right Hand Information Panel Cogwheel Basic Information Block Notifications Block Services Block Tags Statistics ...

Page 704: ...cation SNA Right Hand Information Panel 478 Cisco 350 350X and 550X Series Managed Switches Firmware Release 2 4 ver 0 4 25 Figure 2 shows a sample of the right hand information panel Figure 2 Right Hand Information Panel ...

Page 705: ... type of device and the strongest two forms of identification by which the device was recognized The hierarchy of the identification methods is as follows Host name IP address MAC address For example For example if the host name IP address and MAC address of a device are known the host name and the IP address are shown If the host name or IP address is not known the MAC address replaces the missin...

Page 706: ...er devices the client groups counts as the number of devices that are contained in it For example when selecting a backbone device and a client group containing 5 clients the header shows six devices selected If notifications exist for the device the number of notifications is displayed Right Hand Information Panel Cogwheel The following actions can be performed on the selected devices or connecti...

Page 707: ...cted connection Explore Client Group This option appears when a client group is selected Selecting this action opens the client explorer filtered by the type of device in the client group Delete This option only appears when all the selected devices are offline devices Selecting this action deletes all the selected devices from the topology map Basic Information Block The Basic Information block d...

Page 708: ...ng addresses IPv4 and IPv6 can be seen by pressing the icon next to the label 192 168 1 55 923 a8bc 234 MAC Address The base MAC address of the device 00 00 b0 83 1f ac Description Editable field of up to 80 characters Saved on SNA storage SNA Support Possible values Full Support for SNA devices Partial Support for managed devices No SNA support for unmanaged devices This parameter appears only fo...

Page 709: ...age file example 2015 Nov 04 17 17 53 Number of Units Only appears on stackable devices 2 PoE Power on unit Available PoE Power Displayed only on PoE capable devices Displays the available power used out of the maximum power supply If the device is a stacked device a field appears for each PoE capable unit in the stack with the unit ID If the device is standalone or a single unit the label of the ...

Page 710: ...ess used to connect to the device when last seen 192 168 1 55 MAC Address The base MAC address of the device 00 00 b0 83 1f ac Description Editable field of a maximum of 80 characters Last seen The date and time the device was last seen by SNA in the format of the active language file English language file example 2015 Nov 04 17 17 53 Parameter Name Notes Example Host Name String of a maximum of 5...

Page 711: ...w all is clicked Connection Speed 100M 10G VLAN Membership Shows the active VLANs of which the connected interface is a member Dashes are used to join consecutive VLANs 1 6 13 19 1054 2012 2100 4094 Port Utilization Tx Rx Based on the information from the connected port 80 42 PoE Power Consumption Appears only if the client is connected to a PoE port 8900 mW Parameter Name Notes Example ...

Page 712: ...SNA to connect to the parent device Additional advertised addresses IPv4 and IPv6 can be seen by pressing an icon next to the label 192 168 1 55 923 a8bc 234 MAC Address of parent device The base MAC address of the parent device 00 00 b0 83 1f ac Connected Through Cloud This label appears if the client group is connected to the network through a cloud The label replaces the host name IP address an...

Page 713: ...embers in the LAG Consecutive ranges of interfaces are joined by dashes GE1 4 GE1 6 XG2 4 8 VLAN Membership Shows the active VLANs the interface is a member in Dashed lines are used to join consecutive VLANs 1 6 13 19 1054 2012 2100 4094 Port Utilization Tx Rx Appears only for ports 80 42 LAG Type Appears only for LAGs Possible values are Standard or LACP Switchboard Mode Possible values Access Tr...

Page 714: ...ether See Services for additional information Tags Tags are used to identify elements in the topology by attributes see Tags The Tag block of the right hand information displays all the tags assigned to the element either automatically or by the user You can also manage the tags of the selected elements from this part of the panel See Tags for additional information Statistics When viewing an SNA ...

Page 715: ...uency of samples depending on the displayed time scale Last five minutes 20 samples one every 15 seconds Last hour 60 samples one every minute Last day 24 samples one every hour Last week 7 samples one every day Last 3 months 12 samples one every week PoE Consumption Graph Port This graph is a port level graph that shows the PoE utilization of the port over time It is available for all PoE ports o...

Page 716: ...t year 52 samples one every week Traffic Graph Bytes This graph is an interface level graph that shows the total traffic on an interface in bytes over time The graph is available for all interfaces of devices with full SNA support and has separate lines for Tx and for Rx traffic You can select a number of ports and types of traffic to run a side by side comparison The data is shown as a number of ...

Page 717: ... topology view When you select an element in the topology it is possible to perform the following actions View information regarding the element See Explorers Configure an element See Services Add a device or switch to the Topology View See Manually Adding a Device or Switch to the Topology View NOTE When selecting multiple elements only actions that are available for all the selected elements are...

Page 718: ...dress of the switch to be added The following message is received If the device is not detected feedback is displayed and the device is added to the Topology view as an offline unmanaged switch Devices added by this method remain in the topology map until removed manually If such devices are not connected or not detected by SNA they are displayed as offline devices Explorers Explorers enable addit...

Page 719: ...rface is suspended the suspension reason appears in parenthesis LAG Membership Displays only in the port table If the port is a member of a LAG this column shows the LAG ID Port Members Displays only in the LAG table Displays a list of the ports that are members in this LAG This field may contain a long list of ports If the complete list does not fit in the table it may be viewed on the right hand...

Page 720: ...rface Connection Explorer This explorer displays additional details about the individual links collected in a single connection between backbone devices or between an SNA capable device and a cloud When entering the explorer for a specific connection an individual presentation for each link in the explored connection is displayed The explorer displays basic information about the devices on either ...

Page 721: ...in this table are only displayed when specific overlays are active The client explorer is not supported for client groups that are connected to the network through a cloud The following information is displayed in the Client Explorer table Device ID Known information about the device its host name the IP address it uses to connect to its parent switch and the device s MAC address Only the availabl...

Page 722: ...e topology view to add more information or affect the way the topology is displayed This can be accomplished for example by coloring topology elements in different colors depending on various criteria or by changing the icons that are displayed on topology elements to show detailed data relevant to the selected overlay Select the overlay you want to use from a list of available overlays Some overl...

Page 723: ...ce A and port 2 of device B the calculation of one direction is a comparison between the Tx value of port 1 and the Rx value of port B The higher value determines the utilization of the link If only one side of the link is an SNA capable device the utilization of the link is determined by the information from the SNA capable device only When determining the most heavily utilized link for the aggre...

Page 724: ...ology map In the connection explorer each link transferring power displays an indication of providing power and the direction of the power flow This indication is displayed per port even if the link is in a LAG It is possible that some links in a LAG provide power while others do not VLAN Membership This overlay enables viewing of the VLAN memberships of various ports and devices in the network Fo...

Page 725: ...is marked according to the following rules If at least one link is highlighted the connection is highlighted If at least one link has an asymmetric connection the connection is yellow In the Connection Explorer every link can be viewed individually When a link is has an asymmetric configuration in addition to being colored yellow the connection explorer displays which side of the link is not a mem...

Page 726: ... Tags can be built in or user defined Built in tags Applied automatically to nodes based on information gathered by Discovery protocols See Built In Tags User defined tags Added manually and assigned to nodes in the topology map See User Defined Tags Built in and user defined tags are visually distinct from each other ...

Page 727: ...cording to SNA internal data Offline According to SNA internal data Switch According to advertised data on discovery protocols Router According to advertised data on discovery protocols Access Point According to advertised data on discovery protocols IP Phone According to advertised data on discovery protocols PC According to advertised data on discovery protocols host Notifications According to S...

Page 728: ...witches Firmware Release 2 4 ver 0 4 25 The following menu is displayed STEP 2 Select Open tags inventory A list of tags is displayed as shown below STEP 3 Click the search icon for a specific tag in the Close and Find Devices column to see a list of devices with the selected tag ...

Page 729: ...the tag first_floor has been created You may add tags that have the same names as built in tags These tags appear similar to user defined tags and you can remove them at any time Since these tags are distinct from the built in tags it is possible for tags with the same name to appear twice on a single element as long as one of them is user defined and the other is built in To add a tag to a device...

Page 730: ...clicked the topology map becomes centered and zooms on its topology element The search can be refined by adding keywords to limit the fields searched If you enter a keyword followed by a colon and the search term the search term is searched for only in the specified field The following are the supported keywords IP MAC and Tag If the search term is contained in quotes only exact matches are found ...

Page 731: ...tage and Watts value for example 20 5 Watts Cumulative power saved by green Ethernet Displayed as Watts Hours Projected annual power savings by green Ethernet Displayed as Watts Hours Current power saved by power management policy Displayed as Watts Cumulative power saved by power management policy Displayed as Watts Hours Projected annual power savings by power management policy Displayed as Watt...

Page 732: ...nature of the problem They are displayed for the following events A fan fails A temperature sensor detects dangerously high temperature PoE is overloaded a request for PoE cannot be supplied because the budget is surpassed A connection s traffic utilization reaches 70 90 or higher A device s CPU utilization reaches 96 or higher This section does not appear if there are no health problems in the ne...

Page 733: ...LOGs that pass the severity threshold configured for the RAM logs are detected by SNA The notifications in SNA are separated according to the categories based on their SYSLOG severity level The color of the notification indicates its severity as described below Rank 1 Red Critical Alert or Emergency Rank 2 Orange Warning or Error Rank 3 Blue Informational or Notice When an event generating a notif...

Page 734: ...hether they occurred while the SNA session was active or inactive Click to view the table containing an aggregated list of notifications for the complete network This table displays the last 300 events logged in the network by SNA or partial SNA devices Viewing the specifics of a notification removes the new notification annotation from the topology view but all notifications are still available f...

Page 735: ...Smart Network Application SNA Notifications Cisco 350 350X and 550X Series Managed Switches Firmware Release 2 4 ver 0 4 509 25 Timestamp Severity SYSLOG text ...

Page 736: ...IUS server RADIUS host server can be configured on one of the SNA devices Device authorization is done via MAC authentication DAC Workflow The DAC workflow consists of the following steps STEP 1 Activate DAC See Accessing DAC STEP 2 Configure a RADIUS server device and client devices See Specify a RADIUS Server and Clients STEP 3 Add the client devices to the white list See DAC List Management Acc...

Page 737: ...s he RADIUS server for the network by clicking Set as DAC server The following menu is displayed STEP 5 If the device has more than a single IP address select one of those addresses as the one to be used by DAC The list of addresses indicates whether the IP interface is static or dynamic You will be warned if selecting a dynamic interface that the address may not be stable When editing an existing...

Page 738: ...t Select at least one client for the DAC RADIUS server If no clients are selected you will be unable to apply the settings STEP 9 When a switch is selected as a client a window with its ports is displayed Select the ports from the client switch on which to apply 802 1 x authentications The SNA recommends a list of all edge ports all the ports that are not known to be connected to other switches or...

Page 739: ...e server s startup configuration this option is selected by default Until a device is added to the white list it is not allowed access to the network You can view and change the white and black lists at any time as long as a DAC RADIUS server is defined and reachable When applying the DAC settings you are presented with a report listing actions that will be applied to the participating devices Aft...

Page 740: ...on Remove RADIUS server connection Update 802 1x settings Update interface authentication settings Update interface host and session settings It is possible and likely for multiple actions to appear for each device Each action can have its own status Warnings Possible warnings for DAC server include Selected IP interface is dynamic Possible warnings for DAC clients include Device is already a clie...

Page 741: ...uthenticated device icon The DAC List Management page is displayed with the list of unauthenticated devices STEP 2 Select the devices you want to add to the white list and click Add to Whitelist STEP 3 Select the devices you want to add to the black list and click Add to Blacklist STEP 4 Click Apply Packets entering on the ports on the device are authenticated on the RADIUS server To manage the wh...

Page 742: ...tings on selected devices or interfaces or select an entry from one device and copy the entry to other devices You can also use the settings from one of the devices or interfaces as the settings for all other devices or interfaces in the selection For most services a GUI page is displayed where specific parameters can be defined for the service After you enter the parameters in the GUI page and al...

Page 743: ...vel For each of these device level services the tickets showing the current configurations of the selected devices show the following identifying information in addition to service specific parameters Device host name IP address If more than one IP address exists for the device the one used by SNA to access the device is displayed Device model The alphanumeric string representing the device model ...

Page 744: ...US server with the lowest IPv4 address The RADIUS server with the lowest IPv6 address The entry created by the service has a priority of 0 and usage type login If an entry with the same IP address or host name as the new entry already exists with priority 0 and usage type 802 1x the existing entry is updated to usage type all If an entry with a different IP address or host name already exists the ...

Page 745: ...r of the authentication port Authentication Methods List of the authentication methods used for each device by the channel currently used on SNA HTTP or HTTPS The common values for this parameter are Local or RADIUS Local If the current value for a device is any other value the copy option is not available for this device When copying settings the value RADIUS Local is mapped to the RADIUS Primary...

Page 746: ...he service will have preference 1 If a static entry of preference 1 already exists and was displayed the static server is replaced by the new entry Displayed Editable Parameters To define a new DNS server enter its IPv4 or IPv6 address SYSLOG Server Configuration This service enables defining the SYSLOG server used by the selected devices Current Configuration For every selected device the SYSLOG ...

Page 747: ...nize the time settings between all devices in the network It is especially advisable when viewing historical statistical information on multiple devices Current Configuration For every selected device the current configuration is displayed The current clock source with the following options is displayed Default SNTP servers Default servers displayed if the clock source is SNTP User defined SNTP se...

Page 748: ... When applying the server all current configured servers are deleted and the server one is added Time Zone must be configured with this option Local Clock Changes the device clock source to local clock The date time and time zone must be configured Set Date and Time Date and time if local clock is configured Time Zone Time zone offset if a user defined SNTP server or local time is configured File ...

Page 749: ...re version as follows Operations The following operations are available from the service Download firmware via HTTP Used to download a new firmware file In the local file system browse to the new firmware file and select it This file is then downloaded to all devices participating in the service After downloading the new firmware the device also automatically makes it the active firmware version ...

Page 750: ...y device that finishes the download automatically reboots in order to finish the upgrade operation this option is selected by default Download configuration via HTTP Used to download a new configuration file In the local file system browse to the new configuration file and select it This file is then downloaded to the startup configuration of all devices participating in the service ...

Page 751: ...naged Switches Firmware Release 2 4 ver 0 4 525 25 When activating the download you can request that all devices reboot after downloading the configuration file to make the new configurations active Reboot Click Go to reboot the devices without performing any other actions ...

Page 752: ...below The following parameters are displayed SNA Power Schedule active inactive Power schedule details if active Whether time power is active each day beginning on Monday and ending on Sunday Behavior of ports in off schedule times The options include PoE power inactive Data inactive Both PoE power and data inactive Custom Displayed if an SNA created schedule is not applied uniformly to all Access...

Page 753: ...d Otherwise the schedule can only be created or deleted The schedule created by this service uses a reserved name orch_power_sched Time ranges with other names are ignored by SNA When applying the settings the applied behavior is bound to all selected ports All ports that are not selected are unbound from the schedule if they were previously bound Non PoE ports are only affected if one of the beha...

Page 754: ...ork Application SNA Services 528 Cisco 350 350X and 550X Series Managed Switches Firmware Release 2 4 ver 0 4 25 The following is displayed STEP 3 Click Select Ports STEP 4 Select one or more ports and click Done ...

Page 755: ... Services Cisco 350 350X and 550X Series Managed Switches Firmware Release 2 4 ver 0 4 529 25 STEP 5 Click Add Schedule Time STEP 6 Complete the fields see descriptions above and click Go A power management policy has been defined ...

Page 756: ...LAN selection offers a selection of all existing VLANs in the network and an option to create a new VLAN After a VLAN is selected open a port selection panel that is connected to each device s card In this panel all ports that are members of the selected VLAN are marked according to their membership type A For access ports that are untagged members in the VLAN U For trunk ports that are untagged n...

Page 757: ...eters Interface name Device host name of the parent device of the interface IP address of the parent device of the interface If more than one IP address exists for the device the IP address used by SNA to access the device is displayed Device model of the parent device of the interface The alphanumeric string representing the device model For example SG350XG 2F10 Power Management Settings Interfac...

Page 758: ...ed or removed from the port and no behavior can be selected Applying the schedule to the ports has the same behavior as selecting the Data inactive option If a combination of PoE and non PoE ports is selected when applying the settings to the PoE ports the option PoE power and data inactive is treated as if it were Data inactive and the option PoE power inactive is treated as if the schedule was n...

Page 759: ...wn in parenthesis For example Suspended ACL Auto Negotiation Enabled Disabled Administrative Speed This parameter is only displayed if Auto Negotiation is disabled The values can be 10M 100M 1000M 2500M 5G or 10G Current Speed 10M 100M 1000M 2500M 5G or 10G Administrative Duplex Mode This parameter is only displayed if Auto Negotiation is disabled The values can be Half or Full Current Duplex Mode...

Page 760: ...twork you are alerted that a newer version was detected including the time it was created and the device it was detected on and prompted to select the version of settings that SNA should use The following settings can be saved Positions of all backbone devices in the network Any client device designated as a backbone device retains this status Any tag manually added to elements in the network Any ...

Page 761: ... Managed Switches Firmware Release 2 4 ver 0 4 535 25 Technical Details The following are technical details of the SNA feature Supported browsers IE10 and above Chrome FireFox Safari on MAC OS 6 1 2 7 0 2 Supported OS Win 7 Win 8 Win 8 1 Linux 2 6 3 11 MAC OSX version 10 7 and up ...

Page 762: ...and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Reviews:

No comments

Related manuals for Aironet 350 Series

3Com 3CRWE62092B - 11Mbps Wireless LAN PC Card User Manual preview
3CRWE62092B - 11Mbps Wireless LAN PC Card
Brand: 3Com Pages: 16
IBM ThinkPad i Series User Manual preview
ThinkPad i Series
Brand: IBM Pages: 82
CoolGear USB-8COMi-RM Product Manual preview
USB-8COMi-RM
Brand: CoolGear Pages: 19
Rockwell Automation Allen-Bradley CrossBoard 141C-G Series Installation Instructions preview
Allen-Bradley CrossBoard 141C-G Series
Brand: Rockwell Automation Pages: 4
Hainbuch MANOK Plus Operating Instructions Manual preview
MANOK Plus
Brand: Hainbuch Pages: 108
Z-Com XN-790 User Manual preview
XN-790
Brand: Z-Com Pages: 46
Teletronics International EZLoop 21-110 Quick Product Manual preview
EZLoop 21-110
Brand: Teletronics International Pages: 2
Ahlborn ALMEMO 8006-RTA3 Operating Instructions Manual preview
ALMEMO 8006-RTA3
Brand: Ahlborn Pages: 16
Keyspan USA-19H Manual preview
USA-19H
Brand: Keyspan Pages: 40
Macpower & Tytech D7-3500 User Manual preview
D7-3500
Brand: Macpower & Tytech Pages: 26
COP-USA WE-7020S Integration Manual preview
WE-7020S
Brand: COP-USA Pages: 7
Conceptronic CPNP200 Quick Installation Manual preview
CPNP200
Brand: Conceptronic Pages: 209
Kraus GDA-1 Installation Manual preview
GDA-1
Brand: Kraus Pages: 12
Belkin F5D7050 User Manual preview
F5D7050
Brand: Belkin Pages: 252
Protectowire APL-90 Quick Start Manual preview
APL-90
Brand: Protectowire Pages: 2
EverFocus EEPPRR--11220 User Manual preview
EEPPRR--11220
Brand: EverFocus Pages: 16
OBDLink MX Bluetooth Quick Start Manual preview
MX Bluetooth
Brand: OBDLink Pages: 12
Sony XA-DC1 Installation/Connections preview
XA-DC1
Brand: Sony Pages: 2

Brands by name

Popular brands

Load more brands